Zombies don’t only lurk on television and in the movies. Zombie apps, software that have been revoked by a mobile app store and are no longer receiving security updates, are quietly residing in smart phones of of users in every enterprise surveyed by a mobile app risk management provider.
Appthority said in a 2Q mobile threat report that the risk to organizations is still under appreciated by CISOs.. App stores run by Google, Apple and Microsoft are under no regulatory obligation to tell users of revoked apps — either for copyright infringements or serious security/privacy concerns discovered after release — the report points out.
“The ongoing threat of zombie apps and stale apps continues to be an ‘under the radar’ threat to the enterprise,” said Domingo Guerra, president and co-founder. “The solution to closing this threat window is really two-fold: app stores need to revamp their policy to include a mechanism for alerting end users that an app on their device has been revoked, and end users need increased education about the importance of making updates to their mobile apps as soon as they are available.”
The report estimates that 5.2 per cent of the iOS apps on employee devices in an enterprise are dead apps, while and 37.3 per cent are stale Apps. On Android devices, 3.9 per cent are dead apps and 31.8 per cent are stale apps.
The report also found that
— a newer cause for the rise in vulnerable mobile apps is the over-reliance of third party libraries by developers. They help save time and money, but, the report says, can make the potential security impact of a vulnerability exponentially higher. To make matters worse, the major public app stores spend most of their app review process in identifying malware and violations to store terms and conditions, rather than analysing apps for security vulnerabilities.
“This gives both end users, and corporate IT and security administrators a false sense of security that their apps have already been reviewed for risk, meaning that security vulnerabilities are left in the wild longer, increasing the probability that they are exploited.”
–mobile apps may offer more data residency risk than infosec pros think, because of cloud computing. In addition to data going between the app and corporate servers, researchers also found most apps communicate with cloud servers, ad networks, and sometimes with additional third party services — including sending personal information.
The top iOS apps sent data to 92 different countries outside of the U.S. (Ireland was top with 16.1 per cent of data, followed by China and Germany, each with 4.9 per cent) while the top Android apps sent data to 63 different countries (Germany was top with 4.7 per cent, followed by Ireland, China and France).