Don't let that app stab you in the back

Stephen Pritchard
News
3 Feb, 2011

Inside the enterprise: mobile apps can put businesses' security at risk. Do IT departments know what the apps they download are doing?

Apps, as much as the touch screen or slick user interface, are behind the popularity of the iPhone and iPad. A lack of apps, or at least the perception that there are fewer apps available for download, is hampering the take up of mobile phones based on Microsoft's technologies and on Symbian.

To win in the smartphone business, a vibrant applications market is a must.

But not all apps are exactly what they seem. Even seemingly harmless applications, downloaded from tightly regulated environments such as Apple's own App Store, can pose security risks.

The risk of a smartphone or tablet app containing malware – like a Trojan that sniffs out sensitive data such as passwords – is clear. And some research suggests that as many as 47 per cent of Android apps, for example, access third-party data.

However, an app does not have to be malicious to cause problems. Some apps exploit users' data for commercial, not criminal reasons: more of a privacy problem, than a security issue. Others are simply buggy and crash the phone.

Another risk altogether stems from the way apps work – or do not work – with the users' existing security settings. As Peter Wood, of the security advisory body ISACA points out, even friendly apps might require users to accept a lower level of security, such as a simpler password, than the web-based equivalent. In some cases even large brands are forcing their customers to downgrade their security settings, in order to enjoy the convenience of an app, rather than a browser interface.

This is dangerous because a mobile device is, by definition, used out of the office and so more vulnerable to loss or theft. And it could also encourage employees to use weaker credentials for business applications, or argue against company mandates for measures such as two-factor authentication. After all, if a simple PIN is good enough for the grocery shopping, isn't it enough for everything else too?