Jailbird: A cautionary tale of mobile application security awareness

For all the technology and solutions out there, the number one protection against cybercrime is still user awareness and the ability to understand when you are at risk—even as a consumer.  Our greatest exposure is when we use our smart phones. These devices carry not only all our favorite photos and music playlists, but also address books, emails, our health information, some credit card data and even passwords in all those “secure” vaults you can download for free.  Of course, often times we find ourselves at the mercy of the great, life-saving utility these apps provide and what’s the risk anyway, right?

I was recently helping a fellow soccer parent in her search for a new job and suggested she explore indeed.com. I recommended she download the Indeed app to review opportunities on her mobile phone. She located the app in one of the Android app stores and started to download it. During the download, she alerted me to the permissions screen one must acknowledge before proceeding with the download. She was new to Android phones and wondered what it all meant.  Upon viewing this permissions screen, I saw what I have seen so many times before, but this time was a little different. The Android app’s permissions screen showed that “Chris Lamprecht,” not the app, but Chris Lamprecht requested she allow him access to her Android device with an alarming set of permissions requests, including the ability to:

1. Use her location, access the internet and networks
2. Access accounts on her phone, including email and messaging apps
3. Access to the address book and contact lists
4. Read, modify or delete the contents of any USB storage
5. Control the vibration of the phone and prevent the device from sleeping

And yes, it was an Android app.

Let’s dig into this list a bit deeper. Keep in mind this is an app for job seekers looking to enter search criteria and see it return relevant employment opportunities. To access the internet and the user’s location is understandable. It’s realistic to expect a job search app to request access to the internet and use your GPS location to find jobs near you. Requesting access to your email and address book, on the other hand?  Why would a job search app want to read your email and learn who’s on your contact list?  Read your USB storage and prevent the phone from going into sleep mode? The app was most probably spyware, disguised as an app for job seekers, and no different from the millions of others you can download from Google Play and the Amazon app stores.

So, how do we work with this? How do we prevent our private information from being sucked out of our personal or work phones all because we innocently wanted to download an app?  As a consumer, we can only be more choosey about the platform of choice—mainly Apple or Android. In reality, platform choice dictates the level of quality and security assurance you will get. I will be the first to admit Apple is no angel; their app security is often tried and breached. However, Android is most certainly no better and the app stores continue to host fake apps, apps with many capabilities and intentions other than advertised, and at an incredibly high privacy risk.

If vultures are attacking consumers, on an individual basis, imagine the amplification of threats on an enterprise level. The stakes are higher, but the prize that comes with a successful corporate hack would be well worth the hoops an attacker would have to jump through to pull off a breach of enterprise magnitude.

Prevent a breach by educating employees on mobile application security.

What recommendations can be made to both enterprise and personal users?

On an enterprise level, how can companies work with mass deployments of smartphones across the workforce securely? With more and more employees using apps to manage customer data and accessing the company network, how is this achieved? Well, it’s not easy, nor is it cheap. Any smartphone used for corporate work should consider the following measures:

1. Do not allow any apps on the company-issued phone other than those needed to complete the job role, or only host apps that have been tested and assessed against a minimum security baseline.
2. Employ the use of a mobile device manager (MDM), apply strict control over the company-issued phone’s usage by employing both app and app store black listing measures, force all data through a VPN and employ a separate productivity suite (email, browser, address book and apps) that are mandatory for enterprise use.
3. Employ mobile application managers (MAM) that wrap, sandbox and isolate the corporate applications from the rest of the phone. The phone may have any commercial apps loaded, in this case, as the corporate apps exist in a different security domain. This is typical for privately-owned phones that the enterprise allows on its network.

While these options greatly reduce the enterprise-level risk of attack by minimizing the attack surface of mobile devices, the best advice at this point for consumers is to tread lightly. Be observant. Mobile application security awareness is key for consumers to protect themselves against cyber criminals.

Oh, and to really drive the point home, let’s explore one last question: who’s Chris Lamprecht? Christopher Matthew Lamprecht, Federal Bureau of Prisons ID# 61153-080 was released in March 3, 2000 and was one of the first Americans incarcerated for cybercrimes.

Learn more about the mobile application risk landscape.