(Continued from Page 1)

Step 2: Reduce App Download Risks through Policy and Training

When it comes to risks introduced by downloaded apps, it's important to understand the potential for damage.

"I think the challenge of mobile apps is that it really is the Wild West out there," says Rudolph Araujo, director of professional services at McAfee. "They are hard to control, and lots of apps are malicious."

Part of the problem is that mobile operating systems don't consistently enforce controls on what apps can and cannot do. In February, the Path social app for iOS was found to upload the user's address book to Path servers without asking permission – a practice that was subsequently found to be a common practice among many legitimate apps. Then, in March, it was revealed that granting an iOS app access to location data also inadvertently gives the app access to upload the user's photo library, should the app developer choose to exploit that privelige.

The Android OS suffers from a similar photo vulnerability, but goes one step further: Any app that has rights to access the Internet (i.e. nearly every Android app ever made) can upload the user's photos to a remote server without detection, if the app has been coded to take advantage of that vulnerability.

Apple's app vetting system is supposed to provide a measure of protection, but at best it can only reduce the risk of malicious apps appearing on the iOS platform. And although Android apps do present users with a list of the permissions they want to be granted by the user, Araujo points out that most users will grant all kinds of permissions to almost any app they download, just so that they can get on and run it.

One way around this problem, Araujo suggests, is to impose app download restrictions on mobile devices in the workplace. If a device is used for business, company policy should only allow app downloads from a corporate app store, and not from public app stores such as the iTunes store or the Android Market (which was recently renamed Google Play).

Davis of Savid Technologies concurs that this is a sensible approach to adopt. "If an employee can add any app they like to a device they use for business purposes then they can certainly cause severe security problems," Davis says. "Restricting the apps an employee can install to those offered by a corporate app store is therefore a very good idea." He says that employees are more likely to accept a restriction like that when the security rationale is explained in detail – and especially if the alternative is not being allowed to use their mobile device at work at all.

McAfee's Hau also stresses the need for user education when it comes to mobile apps. "You need to make sure that users understand the potential dangers of randomly downloading apps onto their mobile devices," Hau says.

Davis also recommends creating a Mobility User Council with representatives from executives, the rank and file, and IT security. "It is vital to integrate the users into the security process, and mobile security has to move away from a yearly meeting into everyday parts of people's lives," he says.

Next page: How to scan for app vulnerabilities and conduct a company-wide mobile security audit.