Application threat analysis/App vetting: how to separate key decision-making insights from pointless information

Posted by Roxane Suau on June 26, 2020

Needless to emphasize that applications stand at the very heart of mobile usages. Except for very specific business cases, mobile workers require flexibility in their apps usage and have to be free to download, on top of the provided set of corporate applications, any other application they might need. In addition, the democratization of BYOD configurations makes no question of the aforementioned.

 

app_security_reports_tools

 

The efficiency of the mobile security policy will then rely on the capabilities of the application security solution to properly detect unexpected activities and protect corporate information by enforcing adequate security measures.

In the mist of information provided in mobile application security reports, it is crucial to distinguish real security insights from useless data. Quantity is not a sign of quality and a common pitfall is to not take a closer look to the depth and relevance of information delivered and therefore the ability of the solution to draw an effective conclusion on apps severity.

 

Permissions, libraries and communications, so what?

If listing in details permissions, libraries and communications is the right place to start with the analysis of an application, the evaluation needs to be complemented with a further in-depth behavioural analysis to provide a clear understanding of apps threats.

In fact, looking at permissions or libraries depicts activities the application is authorized or able to proceed with, but to which extend? As a concrete example, providing access to contacts for a social app make sense, but having the contact list sent of the device is another story. 

After acknowledging the connections performed by the application (Is it secure and trusted? Is it an expected communication with regards to the nature of the app?), the central question is which data are exchanged through this connection.

As a result, beyond cataloguing the permissions, libraries and communications, the central point is to identify what the application is doing with data and are those activities aligned with the security policy of the company and more widely are they compliant with regulations.

Data protection regulations made clear that companies are responsible for the data processing performed through their information system and mobile devices form an integral part thereof.

Finally, known and unknown malwares as well as advanced or persistent threats have to be clearly identified. The mobile threat landscape is constantly evolving through more and more evolved and hidden attacks. Signature tracking and basic malware detection are required but pointless on their own. An efficient detection mechanism must pick up on the faintest of signals to reveal malicious activities.

 

A genuine decision-making tool

The vetting of applications is a structuring piece of the mobile security puzzle and acts as an autonomous decision-making tool. There is no way to compromise with its accuracy at the risk of numerous false-positives and negatives generating end-user’s frustration, lack of visibility for security heads and default in the compliance with regulations.

The table hereafter is aiming at guiding companies in the assessment of the value delivered by an app analysis report. If you are in the process of choosing a solution, a step by step comparison of reports of the same set of applications should draw the major discrepancies and capabilities between solutions.

 

Report content

Source

Usefulness for security purpose

Example

Known malwares

Database

Decision-making

Viral signatures

Unknown malwares

Behavioral analysis

Decision-making

Keylogger, screenlogger, overlay…

Permission listing

Available data

Information

Access location, contacts, …

Permission diversion

Behavioral analysis

Decision-making

OTP interceptor, data leakage, …

Libraries listing

Available data

Information

Marketing, login, popular development libraries…

Libraries exfiltrating data

Behavioral analysis

Decision-making

Marketing library retrieving user’s information

Code and library vulnerabilities

Database

Decision-making

 

Data manipulation

Behavioral analysis

Decision-making

Call log sent of the device…

Data processing endangering data privacy regulation

Behavioral analysis

Decision-making

User’s data (user and contacts information, video, files, …)

Communications listing

Available data

Information

 

Communications analysis

Behavioral analysis

Decision-making

Trusted and secure connection, phishing…

Communications combined with data sending

Behavioral analysis

Decision-making

Data exfiltrated to unexpected destinations

 

Bottom line, when considering application vetting as part of mobile threat defense or as a standalone solution, you may rely on this table to assess the real value you will get back from the tool. Make sure you are investing in a value-added solution and not simply a fancy solution that packages, at an abusive price, pieces of information in free access.

 

Topics: Mobile Application Security