Top ten threats to mobile enterprise security


Ignoring website security certificates

Source:  thinkstock

It's common for mobile applications to share information with other applications and or to make requests of other applications. This system can make mobile devices much more efficient, but it also subjects them to greater security vulnerabilities. One malicious app could potentially requisition functionality from several other mobile apps if those apps don't require a valid website security certificate or similar validation for trusted input.

For example, if an enterprise mobile application needed to occasionally show the user addresses on a map, it might call out to Google Maps or another mapping app for that functionality. However, if a mapping application that contained malicious code were able to initiate that process in reverse, it might be able to steal the addresses of contacts stored in the phone. Android is more known for the use of interoperable applications, but Apple's iOS also allows apps to interact, as does Windows Phone.

Application developers do not always take the possibility of misuse between various applications into consideration. Whereas Web browsers are generally fairly good about notifying users when websites are attempting to deliver content that does not have a valid website security certificate, mobile applications frequently ignore this type of notice automatically.

Jack Mannino explained that malicious hackers frequently use these calls to monetize Trojan apps that have zero permissions of their own. These apps can call other apps, which do have access to SMS services and use those to make calls to toll numbers or sign up for paid services. While this particular attack might not be a direct concern for enterprise mobile developers, it does illustrate the severity of the problem. As DeLaGrange pointed out, "Even if the mobile application is not directly impacted, it may permit the ability to attack the device and lead to unauthorized access or disclosure of sensitive information."

This is one mobile threat that needs to be tested on a platform-by-platform basis. Because of the differences between each platform in how they handle interoperability, DeLaGrange suggested, "Mobile application testers need to be aware of the vulnerabilities of each mobile platform their application supports and perform testing on each to understand if and how their application can be utilized to exploit them."

View All Photo Stories