Study Suggests ‘Vulnerable’ Apps Could Be More Common Than People Think
Businesses don’t want to stop users from accessing apps that will aid their jobs or make their devices more usable. It’s also not practical for most businesses to analyse and whitelist apps.
A recent BBC report highlights the importance of defending mobile devices that can access corporate data from not just obviously rogue apps (e.g. blocking sideloading) but also seemingly ‘good’ apps that may contain recycled code.
The write-up goes on to report that a team of computer scientists looked at more than 72,000 chunks of code found on the Stack Overflow website. The site is popular with developers seeking advice on the best way to fix broken code.
But researchers found many of the most copied snippets lacked basic checks that would stop common attacks. The dangerous code chunks often used obsolete functions, did little to check user responses and did not look for attempts to break the application, said the study.
Researchers scanned through a website where many developers upload and share the code behind their apps and programmes. The most widely used insecure code blocks turned up in more than 2,800 separate projects on the Github website. The team, involving experts at Canadian and Iranian universities, focused on the C++ programming language, which is used in a huge variety of projects, from small programs to large distributed systems. Those they found using the problematic code chunks on Github that they may have introduced security risks into their apps and programmes.
Only 13% of the developers contacted said they had fixed the code. A similar number declined to fix the bugs. Some 40% said the code was safe because users could not change it once an app was running.
AVR Support Manager Chris Knight comments,
“No one would dream of allowing a traditional Windows endpoint to access corporate data without adequate AV and the same attitude should be applied to all mobile devices. A well-configured MDM coupled with an MTD solution will provide the protection required. AVR has helped some high profile customers like VWG secure their mobile estate”
The sheer number of mobile apps can be a nightmare for most businesses. AVR has deployed a solution for VWG Head Office staff for over 1500 mobile devices (MobileIron and Lookout) that constantly analyses all apps installed on all devices and mitigated any threat by removing access to corporate data. You can find out more here.
Apple is moving their existing Device Enrolment Program (DEP) and Volume Purchase Program (VPP) to end of life on December 1, organisations will need to upgrade to Apple Business Manager by that date.
Balaji discovered that organisations were predominantly relying on role-based access controls (RBAC) to solve their growing identity privilege challenge.