Needless to emphasize that applications stand at the very heart of mobile usages. Except for very specific business cases, mobile workers require flexibility in their apps usage and have to be free to download, on top of the provided set of corporate applications, any other application they might need. In addition, the democratization of BYOD configurations makes no question of the aforementioned.
The efficiency of the mobile security policy will then rely on the capabilities of the application security solution to properly detect unexpected activities and protect corporate information by enforcing adequate security measures.
In the mist of information provided in mobile application security reports, it is crucial to distinguish real security insights from useless data. Quantity is not a sign of quality and a common pitfall is to not take a closer look to the depth and relevance of information delivered and therefore the ability of the solution to draw an effective conclusion on apps severity.
Permissions, libraries and communications, so what?
If listing in details permissions, libraries and communications is the right place to start with the analysis of an application, the evaluation needs to be complemented with a further in-depth behavioural analysis to provide a clear understanding of apps threats.
In fact, looking at permissions or libraries depicts activities the application is authorized or able to proceed with, but to which extend? As a concrete example, providing access to contacts for a social app make sense, but having the contact list sent of the device is another story.
After acknowledging the connections performed by the application (Is it secure and trusted? Is it an expected communication with regards to the nature of the app?), the central question is which data are exchanged through this connection.
As a result, beyond cataloguing the permissions, libraries and communications, the central point is to identify what the application is doing with data and are those activities aligned with the security policy of the company and more widely are they compliant with regulations.
Data protection regulations made clear that companies are responsible for the data processing performed through their information system and mobile devices form an integral part thereof.
Finally, known and unknown malwares as well as advanced or persistent threats have to be clearly identified. The mobile threat landscape is constantly evolving through more and more evolved and hidden attacks. Signature tracking and basic malware detection are required but pointless on their own. An efficient detection mechanism must pick up on the faintest of signals to reveal malicious activities.
A genuine decision-making tool
The vetting of applications is a structuring piece of the mobile security puzzle and acts as an autonomous decision-making tool. There is no way to compromise with its accuracy at the risk of numerous false-positives and negatives generating end-user’s frustration, lack of visibility for security heads and default in the compliance with regulations.
The table hereafter is aiming at guiding companies in the assessment of the value delivered by an app analysis report. If you are in the process of choosing a solution, a step by step comparison of reports of the same set of applications should draw the major discrepancies and capabilities between solutions.
|
Report content |
Source |
Usefulness for security purpose |
Example |
|
Known malwares |
Database |
Decision-making |
Viral signatures |
|
Unknown malwares |
Behavioral analysis |
Decision-making |
Keylogger, screenlogger, overlay… |
|
Permission listing |
Available data |
Information |
Access location, contacts, … |
|
Permission diversion |
Behavioral analysis |
Decision-making |
OTP interceptor, data leakage, … |
|
Libraries listing |
Available data |
Information |
Marketing, login, popular development libraries… |
|
Libraries exfiltrating data |
Behavioral analysis |
Decision-making |
Marketing library retrieving user’s information |
|
Code and library vulnerabilities |
Database |
Decision-making |
|
|
Data manipulation |
Behavioral analysis |
Decision-making |
Call log sent of the device… |
|
Data processing endangering data privacy regulation |
Behavioral analysis |
Decision-making |
User’s data (user and contacts information, video, files, …) |
|
Communications listing |
Available data |
Information |
|
|
Communications analysis |
Behavioral analysis |
Decision-making |
Trusted and secure connection, phishing… |
|
Communications combined with data sending |
Behavioral analysis |
Decision-making |
Data exfiltrated to unexpected destinations |
Bottom line, when considering application vetting as part of mobile threat defense or as a standalone solution, you may rely on this table to assess the real value you will get back from the tool. Make sure you are investing in a value-added solution and not simply a fancy solution that packages, at an abusive price, pieces of information in free access.
