Countering the risks of cyberattacks posed by mobile apps

We’ve all become somewhat jaded when hearing about the billions of mobile devices being used by corporate employees and individual consumers (with individual devices increasingly used across both business and personal settings). Somewhat less well known – and still surprising – is the number of mobile apps active in the typical corporation. One recent assessment by Skyhigh Networks found that the average organization uses 1,427 cloud services, each represented by an app on at least one employee’s phone. 

The mind-boggling proliferation of mobile apps has emerged as one of the most daunting cybersecurity challenges corporations face. And the threat isn’t just limited to malware infected apps such as those that carried the Gooligan code, which compromised more than 1 million Google accounts in late 2016. 

Legitimate mobile apps can also cause security headaches and risks, due to the many permissions users must grant in order to load the apps. In an analysis of more than 75,000 apps from the Google Play Store, mobile security company Zscaler found that 68 percent of the apps required SMS access permission, 46 percent asked for the phone’s state permission, which allows apps to access the phone’s SIM card information, and 36 percent requested GPS location permission. 

Confronted with such statistics, what’s an organization to do? The AT&T  Cybersecurity  Insights report The CEO’s Guide to Data Security provides a number of suggestions about how to reduce your exposure to mobile app threats. Among the steps you can take: 

  • Educate your employees about the risks posted by mobile apps, and give them guidelines to follow to reduce these risks. 

  • Only permit app downloads from reputable app stores such as the Google Play Store or the Apple App Store. Even these generally safe sources can sometimes be compromised, but they are much better at blocking and removing suspicious apps than other sites. 

  • Create whitelists of approved mobile apps, and closely monitor the app profiles of corporate-owned as well as bring-your-own-device (BYOD) phones, tablets, laptops and increasingly, wearables. 

  • Install security controls such as those offered by Skycure to monitor devices for malware and other mobile security threats (such as rogue Wi-Fi networks) 

  • Make use of cloud access security brokers (CASBs), which sit between your employees devices and cloud service providers, giving you visibility into the apps and cloud services employees are using as well as a way to manage and if necessary, restrict that activity. 

The problem of mobile apps requiring extensive and excessive permission rights won’t go away anytime soon, as mobile app vendors use the data gained via permissions to create profiles and  fine tune their marketing efforts. Still, as more corporations and individual users protest over-the-top permissions practices, growing numbers of app vendors are scaling back their permissions requirements to just those truly required for apps to perform their core functions. 

Looking forward, next-generation apps may have more self-awareness built in, so that they limit their operations to those within accepted and expected usage profiles. Rather than waiting for an attack to occur and reactively trying to block it, these apps would proactively control the types of activities and data access they’ll allow. 


Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post. 

Cybersecurity market research: Top 15 statistics for 2017