Role of Mobile Applications in Data Breaches
Written by Sharon Rosa-Bohrer
No business is immune to a data breaches. There were 1,293 total data breaches worldwide in 2017, totaling 174 million records. This is an increase of 45% from 2016. This trend is expected to continue. Being hacked isn’t a matter of if- it’s when. With the rise in mobile app use in our daily lives, by businesses, employees, customers, and individuals, mobile small data breaches happen every day, undermining overall enterprise data security (Appthority). Traditional perimeter protection is not enough to protect your business from mobile devices that are lost, hacked, or compromised.
Threats targeting business data can come from your own employees, others who have access to your network, and people outside your organization. One way to gain unauthorized access is through mobile devices and mobile applications. The cost of a data breach in terms of the expense and fines associated with government breach notification requirements can be staggering. Combine this with a soiled reputation and lost customer trust and it’s clear that data breaches negatively affected normal business operations. Mobile is often at the root of data breaches.
Role of Mobile Apps in Data Breaches
The ever-growing threat of mobile surveillance and data gathering through mobile apps puts company data at risk. Data representing different levels of risk include personally identifiable financial, health, intellectual property, competitive, legal and IT security information. Mobile apps collect a tremendous amount of personal data on users. This data is instantly shared with mobile advertising networks who use it to personalize the ads you see. This is more than just advertising; its mobile surveillance and it is a threat to enterprise security.
As personal mobile devices invade the business world, IT departments often lack visibility into the hidden behavior of apps. These hidden app behaviors are a risk to the users and their employers. With most employees using numerous apps each in a mobile environment, risk exposure is increased by providing a larger footprint into the enterprise. Leaks from those devices can result in corporate hacks, stolen business data, and cyber attacks.
Of companies that monitor their mobile environments for risk, Appthority reported that 67% of organizations said a data breach likely occurred from employees using their mobile devices to access sensitive company information. 60% of organizations can tie a security incident to an insecure mobile app. The threat is real.
The Reality of Mobile App Data Breaches
Mobile app breaches usually begin with just a public copy of your app with bugs in the code that a hacker is able to reverse engineer and tamper with. Research shows that malicious code affects over 11.6 million mobile devices at any given time.
The most common threat comes from risky app behavior. This includes aggressive data collection and data sharing, as well as how popular mobile apps downloaded to employee devices are handling sensitive company data (Appthority).
This can happen as simply as a company allowing employees to sync corporate calendars, address books, and email accounts to their personal device. Any mobile app that requests access to contacts and calendar, now have access to the names/titles of company employees. Many apps share this corporate and personal data with ad networks that in turn share data, all without IT supervision. By hacking an ad network, hackers gain access to all users. Security researchers point to mobile as a growing phishing attack vector. Some reports estimate mobile users as 3x more likely to be a victim of phishing scams.
In March 2018, Under Armour announced that an unauthorized third-party gained access to information from 150 million users of its app, MyFitnessPal. This compromised data included usernames, email addresses, and passwords, all which can lead to identity theft. This followed the running app Strava’s data breach that revealed the locations of hidden US military bases through the use of anonymous data collected on the app.
Reduce the Risk of Data Breaches
A recent Verizon report stated that 32% of companies will sacrifice mobile security in order to improve business performance. This is unwise and could be costly. Small mobile app vulnerabilities can build a major data breach.
Here are several steps businesses can take to reduce the risk of mobile app data breaches:
- Establish a mobile device policy that manages the use of mobile devices. Mobile threat protection needs to be a part of your overall security strategy. Provide employees with a list of safe apps to install.
- Use a Blind Enforcement model to monitor what apps their employees are using an anonymous device ID to confirm whether those apps comply with corporate security policies while protecting employee privacy. Using a mobile threat protection solution in conjunction with blind enforcement keeps everyone safe (Appthority).
- Educate employees about questioning apps that request permission to access location, contacts, or camera.
- Secure code– Application security testing needs to be brought into the development process and it needs to be seamless. By bringing security testing into the in code, pre-build, build, and deployment process, you embed security in the development environment. Obfuscate and minify your code so it cannot be reverse engineered.
- EncryptionTightly control who can read specific files and data sets and allows you to control who can read it at all times. This is a second level of protection that protects sensitive data from being read by unauthorized users. In this case, a security failure giving access to data that can’t be read would not be considered a data breach.
- Assess the risk associated with your mobile apps, whether you’re developing them or only using them. Test repeatedly and fix bugs as they occur. Be careful with third-party libraries. Apply vendor security patches. Authorize API centrally for maximum security and Use High-Level Authentication
Join us at Mobile Payments Conference 2018! Mobile Payments Conference offers comprehensive training and networking with world-class experts in the Mobile Payments, FinTech and Cybersecurity industries.