INTELLIGENT BRANDS // Mobile Technology
What’s up
with your
mobile apps?
Identifying
and mitigating
digital risk
While mobile applications offer
a host of new opportunities, they
can also introduce risk, explains
Alastair Paterson, CEO and co-
founder at Digital Shadows.
I
n this increasingly mobile-first world,
organisations are turning to mobile
applications that enable them to
better interact with their customers and
provide new tools for employees. While
mobile applications offer a host of new
opportunities, they can also introduce risk.
Mobile devices and applications are
highly lucrative and viable targets to
threat actors. Although the majority of
individuals download apps from Apple
App Store and Google Play, which
mitigates risk, this is not the case for all
users. There are many unofficial stores
that allow your customers or employees
to install mobile applications that are
often not actively managed by their
developers or rigorously reviewed prior
to listing. There have also been instances
where apps infected with malware have
managed to infiltrate official stores – so
even those stores aren’t risk-free. For
example, in January 2017 ransomware
was identified bundled together with an
information stealer masquerading as a
battery saving app available for download
from the Google Play store. The app has
since been removed from the store.
So, what can you do to better protect
yourself from such threats? First, all
mobile users should benefit from
www.intelligentcio.com
Alastair Paterson, CEO and co-founder, Digital Shadows
knowing what threats are lurking. There
are five aspects to mobile device risk
that organisations and users need to be
on the lookout for:
1. Your apps – Suspect behaviour and
code within your own apps, such
as self-signed certificates or the
presence of malware.
2. Modified apps – Versions of your
own mobile applications that have
been modified by a third party.
3. Copied apps – Copies of your own
mobile applications on stores that you
are not actively managing them on.
4. Impersonating apps – Mobile apps
that spoof or mimic your branding
or identity.
5. Affiliate links – Links to your own
mobile applications that may
mislead or confuse users.
Even if your organisation doesn’t use
mobile apps or SMS communication,
you still may be at risk of threat actors
targeting your customers through
malicious and illegitimate applications,
or through SMS phishing (aka SMishing)
attacks. SMishing attacks use the same
techniques as traditional phishing attacks
to persuade the user into disclosing
personal information, downloading a file
or app, or visiting a malicious site. With
knowledge of these risks, now you can
begin to mitigate them.
A good starting point is to institute user
education around mobile application
risks. This includes the risk of purchasing
from third party stores, downloading
cracked versions of applications,
and granting requests for intrusive
permissions and privileges.
Organisations should also ensure that
mobile device operating systems are
up to date, helping to prevent the
exploitation of vulnerabilities by threat
actors. Finally, companies should
monitor not just third party apps
but internal company mobile apps,
and take appropriate remediation
measures including: blocking the use
of older versions, resetting passwords,
blocking jailbroken devices from your
services and white listing apps that are
sanctioned. We can expect bad actors
will increasingly take advantage of the
rise in mobile device and application use
to steal customer data and intellectual
property, divert revenue, and damage
your brand and reputation. But by
understanding what’s up with your
apps, you can mitigate the digital
risk to your organisation, employees
and customers. n
INTELLIGENTCIO
61