Tales of risky mobile apps that compromise passwords and personal information have abounded in the news during the past few years. Such risky apps pose a security risk for enterprise mobility and Bring Your Own Device (BYOD) in particular. I recently asked some questions about risky mobile apps and the potential risks they pose to the enterprise via email by Maureen Polte, VP product management, Flexera Software. The company is a leading developer of software licensing, compliance and installation solutions.
Flexera Software positions itself as an enabler to ensure access to applications on personal devices after the establishment of BYOD policies. Their solution can test application compatibility with any enterprise's mobile device management (MDM) policies.
What's risky behavior in an app and the potentials threats, such apps pose to the enterprise?
Mobile apps can use application programming interfaces (APIs) to access information on mobile devices, which may be sensitive to organizations, such as contact lists, photos, and calendars. Mobile apps can also access any corporate social media accounts that have been configured on the device.
What's more, mobile apps can access built-in hardware features such as GPS, camera, and audio recorder.
There are many mobile apps with innocent capabilities that attract users, such as using the camera flash as a flashlight, but include undocumented features that could serve malicious purposes. Corporate IT doesn't have the same insight into and control over such mobile application behaviors as they've had with traditional corporate managed desktop applications.
For example, "Flashlight !" from Zentertain Ltd accesses telephony and SMS features, location tracking, address book, and the calendar. The data that is gathered by these apps may then be sent to third parties. Flexera recommends that as enterprises prepare mobile applications for delivery, they begin to analyze them and start building institutional knowledge around how the apps behave.
Here are two examples of the risks that arise when IT lacks these controls:
- An employee of the US Environmental Protection Agency (EPA) Office of Water was playing a popular game on a mobile device that he also uses for official purposes. Without the employee's knowledge, the game automatically tweeted an invitation to join in the game. The 52,000-plus followers of the EPA's official Twitter account received that tweet.
- The Brightest Flashlight Free app from Goldenshores Technologies, LLC, which has been downloaded by millions of Android users, brightly illuminates the mobile device screen to create a handy flashlight. But that's not all it does. It also automatically sends the user's real-time location information to third parties such as retailers.
What are some tips for testing mobile apps for risky behavior?
Flexera Software recommends a six-step process for maintaining continuous application readiness for all enterprise apps - physical and virtual, desktop, laptop and mobile applications.
This process provides a standardized method based on best practices for getting applications tested, packaged and deployed in the enterprise in a reliable and predictable manner.
Application readiness automation can help IT gain insight into app behavior by application reputation scanning to determine the mobile device features that the app uses. An automated application readiness solution can do this by examining the app properties and configuration. IT can leverage the report to establish policies that define which behaviors are risky.
These policies can then be used by the solution to identify risky apps automatically so IT can manage those apps appropriately.
Identifying and effectively managing risky mobile apps minimizes risk and enhances user experience. Employees can use the authorized apps with confidence, knowing those apps have undergone a thorough vetting by the IT department. They know they are not going to get into trouble because of something the app does.
To ensure that apps work when deployed, IT must also determine the apps' compatibility with the mobile devices and operating systems employed across the enterprise user base. These typically include Apple iPhones and iPads, and Android phones running a range of Android OS versions.
Mobile application management compatibility testing is especially important with mobile apps because of the frequent release of OS updates by mobile device vendors. The IT department should use an application readiness solution to automate mobile application testing for compatibility with new OS releases.
Who should be doing the testing? IT? QA? Users?
IT organizations have been using the application readiness process successfully on their Windows applications for years and utilizing the same process for mobile applications can improve operational efficiency and ensure a standardized process for deploying all applications regardless of format.
In most cases, the enterprise already has an application readiness team accustomed to the process of preparing apps in different formats for different operating systems and deploying the apps using different deployment solutions. Adding mobile apps involves simply extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.
Application readiness teams have already proven their ability to deal with new formats (application virtualization) and new operating systems (Windows 8). The same teams are also likely preparing desktop apps for mobile device access via Citrix/remote desktop service (RDS). So adding mobile apps to the process is a natural extension for these teams.
Now the application readiness teams can use a single, standardized and consistent application readiness process across all enterprise applications, including mobile apps. That's far more efficient than using a separate process (and separate tools) for mobile apps. Higher efficiency translates into greater IT agility and lowers cost in maintaining application readiness.
Eliminating risky behavior in mobile apps on BYOD devices
To eliminate risky behavior in mobile apps, generate reports of the features that mobile apps are accessing to determine the highest risks that are prevalent in your app portfolio. Further, you should test mobile applications for device compatibility to ensure a positive user experience and be prepared for the next OS upgrade.
Beyond EMM/MDM how should enterprise eliminate risky app behavior?
Enterprises should take a comprehensive approach to managing the entire enterprise application lifecycle. Start with a consistent Application Readiness process that enables a standard procedure for getting all applications, regardless of format, tested, authorized and ready for deployment.
Additionally, enterprises can control distribution and provide governance of applications by directing employees to an enterprise app store where they can download corporate approved mobile apps to their devices. Additionally, the app store must give users visibility into the following information:
- Installed apps on their device(s)
- Usage information
- Application cost
- New version availability
- Unapproved apps that should be removed
Finally, software license optimization processes and technology can help mitigate the following:
- Financial risk in software license compliance when employees use apps that the organization has not paid for
- Shelf ware risk when paid-for apps are not being used
Enterprises should integrate their enterprise app store with the software license optimization solution to help mitigate mobile app related financial risks.
Extending standard application readiness practices, software license optimization, testing, and implementing an enterprise app store are key to countering the threat that risk mobile apps pose to the enterprise.
Will Kelly is a freelance technical writer and analyst currently focusing on enterprise mobility, Bring Your Own Device (BYOD), and the consumerization of IT. He has also written about cloud computing, Big Data, virtualization, project management applications, Google Apps, Microsoft technologies, and online collaboration for TechRepublic and other sites. Will also works as a contract technical writer for clients in the Washington, DC area and nationwide. Follow Will on Twitter: @willkelly.