Mobile Apps Live On, Wreak Security Havoc


A handful of people in the U.S. were diagnosed with Ebola in 2014, setting off panic in some quarters, made worse by hyperbolic media coverage. Just one man died, and no new cases have been diagnosed in 2015. In contrast, tens of thousands in the U.S. die from the flu each year even though vaccines are readily available.

Similarly, enterprise security teams worry about malware in mobile applications used by their employees even though mobile malware is exceedingly rare in North America. At the same time, a much more common problem of outdated mobile apps is more likely to cause security problems.

Less than 1 percent of mobile apps downloaded from app stores to enterprise devices contained malware, according to a new report from Appthority, a provider of mobile app risk management software.

Dead Mobile Apps Live on

But the same report found a mobile security issue that was likely under the radar of many security professionals, said Appthority co-founder and President Domingo Guerra. Five percent of the apps were "dead," meaning they had been pulled from the app store or discontinued by the developer.

"We would get the name for an app and the version. We'd know it came from an app store, but we would not be able to locate it," Guerra said. "Looking back through logs we discovered it was a common practice for app stores to remove apps from the store or for developers to end-of-life the app and not really tell anyone."

In fact, Guerra discovered he still had a LinkedIn app called CardMunch on his own smartphone, even though LinkedIn dropped that app in favor of Evernote last May. "I tried to run it and it appeared to be still trying to connect. Anyone could intercept that and do some nefarious things with it," he said, noting that "disposable" mobile apps created for sporting events, conferences or other one-time events posed an especially great risk.

In those cases apps are no longer maintained and sometimes the URL or domain is abandoned, but the app remains connected to users' devices, meaning a hacker could potentially target a domain and have access to potentially thousands of devices, Guerra said.

There have already been some high-profile cases of hackers exploiting dead mobile apps, he said. Notably hackers created malware-ridden Flappy Bird clones after its developer pulled the popular game app from app stores.

Guerra calls dead mobile apps "yet another thing enterprise security teams weren't worried about before that now they can't ignore."

More Mobile Complexity

In addition, Appthority found roughly a third of apps downloaded to enterprise mobile devices were "stale," meaning they had not been updated even though newer versions were available. While both Apple and Google have made it easy to automatically update mobile apps purchased from the Apple's App Store or Google Play, many users are not aware this is possible – or do not want to do it.

Guerra said it's important for IT and security teams to educate users about risks associated with dead and stale mobile apps, a task that can be simplified with technology such as software offered by Appthority that, for example, allows IT teams to notify users of stale or dead apps and offer recommended courses of action.

"We can automate that for them so IT does not have to send out manual notifications," he said, adding that Appthority also can enable self management at the employee level.

In the bigger picture, IT and security teams must remain aware of threats other than mobile malware, he said. "If you are only looking for malware, you are going to miss a lot of other aspects that are part of mobile security, specifically for the enterprise."

For example, many apps have geo-location features that, while undeniably handy, can present a security risk in certain situations. "It's part of the new complexity of mobile security and bring your own device (BYOD) and bring your own apps (BYOA)," he said.