The use of mobile devices within enterprise organizations is commonplace, so organizations must prepare for all sorts of mobile threat vectors — including attacks via mobile applications — to avoid a cybersecurity breach.
As the COVID-19 pandemic and the trend of working from anywhere have pushed many people to work remotely, mobile devices have become a primary channel for employees to stay in touch with their employers and enterprise networks. While this shift has offered convenience and flexibility to workers, reliance on mobile devices brings new security risks to the table. Ransomware, malware and other types of attacks can target mobile devices to great effect, and organizations must account for this to keep data secure throughout the enterprise.
Mobile app breaches threaten enterprises
It only takes one compromised mobile device for an attacker to access an organization’s network. Corporate-owned and BYOD mobile devices are the ultimate target for land-and-expand attacks, where an attack on a mobile device sets the stage for another attack on a back-end system or cloud application. A typical corporate user’s mobile device may have business email, a unified communications application such as Slack or Teams, and a Salesforce or other customer relationship management (CRM) client. When attackers compromise such a device, they have full access to the corporate network resources — as if they’re authorized users of the device.
Because many workers resorted to using personal and corporate-owned mobile devices to get their jobs done amid the pandemic, the mobile attack surface has grown in recent years. A 2022 report from mobile security vendor Zimperium found that a global average of 23% of mobile devices encountered malicious applications in 2021. The firm also found that 75% of phishing sites specifically targeted mobile devices that year.
Additionally, with each new application a user installs on a mobile device, the attack surface grows. Threats to applications, such as exposed APIs and misconfigured code, leave customer data open to attack. Outdated mobile apps only add to these security vulnerabilities. Organizations can look to enterprise mobility management (EMM) and other endpoint management tools for better control over applications. These tools enable IT to create and manage policies, such as automating mobile OS and app updates, for better mobile security.
Attackers may also target mobile devices for reconnaissance. Bad actors can use a mobile device’s microphone and camera to spy on organizations and learn corporate secrets, such as research and development plans and financials. Compromised mobile devices can eavesdrop on sales calls or meetings about an organization’s next big product.
Mobile device threat vectors that IT should know about
There are many ways that hackers can compromise mobile devices through mobile apps. Prevent and mitigate the damaging consequences of attacks on mobile applications by keeping the following threat vectors in mind.
Malware is malicious software that can steal login credentials while bypassing two-factor authentication (2FA). Viruses, worms and spyware are examples of malware targeting mobile devices.
The fight against mobile malware starts with mobile antivirus software. IT must tightly control remote access to the enterprise network via mobile devices.
Malware attacks evolve with the support of state-sponsored and criminal hacking organizations. Some of these hacking groups have the technology and staff resources of a large software development shop. For example, a new and alarming trend in malware attacks against mobile banking apps is the dropper apps, which cybercriminals added to legitimate apps in the Google Play store. As hybrid work and BYOD policies blur the lines between personal and corporate devices, this is a significant threat to many organizations.
As DevOps and DevSecOps practices gain popularity, mobile app developers will increasingly have to move to mobile DevSecOps to build secure mobile apps. Many defense techniques will only grow in importance, such as code obfuscation to render app code or logic hard to understand and application shielding to guard against dynamic attacks, malicious debugging and tampering.
While IT teams can use obfuscation to protect data, hackers can also use this tactic to carry out ransomware attacks. A ransomware attack encrypts a compromised mobile device, locking the device user out. Ransomware attackers usually follow the same playbook with mobile devices as they do with PCs: Pay up if you want to regain access to your device and its data.
Ransomware was a part of nearly 25% of all data breaches in 2021 — an almost 13% increase from the previous year — according to findings from Verizon’s “2022 Data Breach Investigations Report”, and mobile devices are far from immune to such attacks.
Preventing ransomware starts with blocking corporate devices from downloading apps from any source other than their enterprise app store, the Apple App Store or Google Play. Some other critical steps to prevent mobile ransomware include the following:
- Create and enforce a BYOD policy with an accompanying training program that governs the security of devices enrolled in the corporate BYOD program.
- Create policies in the organization’s EMM platform that prompt any enrolled BYOD and corporate devices to download security patches and updates automatically.
- Make mobile ransomware prevention part of corporate cybersecurity training.
Flawed code and leaky mobile apps
Leaky mobile apps set the stage for a mobile device breach. As the name suggests, a leaky app is an app that corporate data seeps out of, like water leaking out of a cracked pipe. Poor programming practices create flawed code, which can enable the public and attackers to see application data such as corporate information and passwords.
Security flaws were a significant issue with the release of the Beijing 2022 Olympics app. The app was mandatory for all attendees and had flaws that could allow attackers to steal personal information and even spy on some communications. Common advice to the athletes and other attendees was to use a burner phone at the Olympics because of the mobile security threats that were present.
A similar threat emerged in January 2021, when Slack identified a bug in its Android app that logged cleartext user credentials on devices. While Slack did warn its users to change their passwords and purge the application data logs, potential access was wide open to attackers seeking corporate information. Although the bug did not lead to any headline-grabbing breaches, it shows that popular enterprise mobile apps are a potential attack vector.
To protect against flawed code and leaky mobile apps, organizations must train their mobile developers in secure coding practices and implement mobile application security testing as part of a DevOps methodology.
Software supply chain breaches
A software supply chain works similarly to an assembly line in a factory. It’s a production cycle that pulls together partners, contractors and third-party vendors to produce software. Open source software components also travel the same supply chain.
Through the software supply chain, however, a cybersecurity vulnerability in one organization can lead to further damage for various other organizations. The SolarWinds software supply chain breach infamously showed this danger, with hackers gaining access to the networks, systems and data of thousands of the company’s government and enterprise customers.
An attacker who compromises the software supply chain of a mobile app vendor can insert code in the app, which prompts an end user to download an update from a malicious site. A software supply chain compromise happens before an app hits a public or corporate app store.
Business application and service providers will no doubt ramp up their supply chain security to prevent these attacks.
Jailbreaking and rooting of mobile devices
Jailbroken iOS devices and rooted Android devices compromise the security posture of the entire device because they allow hackers to carry out privilege escalation attacks. When attackers gain access to a mobile OS, they can attack mobile applications indiscriminately.
EMM tools such as Jamf Private Access enable IT to set security policies that prevent jailbroken or rooted mobile devices from accessing enterprise resources.
As corporate applications migrate to the cloud, the prospect of man-in-the-middle (MitM) attacks — where an attacker can intercept, delete or alter data sent between two devices — becomes a reality. While there are other causes of MitM attacks, mobile applications using unencrypted HTTP can traffic sensitive information, which attackers can utilize for their nefarious purposes.
To prevent MitM attacks, organizations should start by training their development teams in secure coding standards and architecture. The same standards must also apply to vendors in their software supply chain.