Mobile Apps and Hidden Risks

Emily Holbrook


August 1, 2011

In May, a trio of researchers at Ulm University in Germany revealed that Google's Android smartphones contained a security flaw that could potentially affect nearly the entire product line. The flaw was discovered when the team found that it was "quite easy" for hackers to intercept data from Google's email, photo-sharing, calendar and contacts applications.

Not long before the Android breach, Apple came under fire after it was learned that the tech giant was collecting location information from its iPhone users. This was a unique type of data breach as it was not initiated by outside hackers but from the smartphone's parent company -- and apparently done so accidentally. And though a user's location may not be considered sensitive business information, such a weakness within the system signals that there is a strong potential for data breaches involving other, more serious material. Privacy and "big brother" concerns also abound whenever a company can collect geopositioning data on consumers.

The most troubling aspect is that these concerns may be just the beginning. And many security experts fear that mobile apps present one of the largest new frontiers in cyberrisk.

According to the App Genome Project, there are now more than 400,000 apps in the Android Market and Apple App Store combined. Are the companies that release these mobile apps putting the appropriate controls in place to prevent data breaches?

A recent report from Symantec highlights the concern. It found that Apple and Google are very different when it comes to mobile security, "creating distinct potential vulnerabilities for enterprises embracing devices running these operating systems."

For instance, Apple employs what Symantec calls "application provenance," or identifying, certifying and vetting an app before it is published for public use. For Google, however, the course of action is much different. There is no vetting process and apps can be uploaded from just about anywhere on the internet. So as these user-friendly apps continue to grow in popularity, so too may security breaches.

Even more concerning is one of the biggest trends in enterprise mobility: the bring your own device (BYOD) paradigm, in which companies allow employees to use their personal smartphones for business. "This has implications on the whole 'command and control' model that most enterprises are used to and is forcing them to adapt to a 'monitor and manage' model," said Raffi Tchakmakjian, vice president of Trellia, a mobile device management company.

So policies are now being defined with a clear delineation between the consumer and business side -- the key is for enterprises to have full control over their own data and applications, without affecting the user's personal data on the device.

"The State of Data Security," a report recently issued by Sophos, a data protection and analysis firm, stated that "Mobile devices by their very nature are harder to protect and therefore can represent the weakest technology link in a company's network."

Because of the ever-present risk of personal data loss, some U.S. states have enacted legislation relating to data protection. California has had its online privacy protection act (OPPA) in place since 2003, and just this year, state legislators ruled that a person's ZIP code is considered personally identifiable information and therefore covered under the act.

Nevada and Massachusetts have also enacted laws protecting an individual's personal information, requiring companies to encrypt files, employ up-to-date firewall protections and train employees  on the importance of personal information security. Consumer advocates hope other states will follow suit.

The risk landscape when it comes to mobile devices and apps is not all bad, however. Some companies have developed apps designed to help users manage risk.

Digital Sandbox, a public safety risk management company based in Virginia, has released what it calls the Risk Analysis Center Mobile Monitor, which allows Apple iPad and iPhone users to access relevant safety threat information within that user's unique risk context.

Citicus, a developer of automated risk and compliance tools, developed MoCA, a smartphone application that allows users to identify worst-case scenarios and their business impact anywhere, anytime with the touch of an iPad or iPhone screen.

Modulo is yet another company offering users immediate access to pertinent business statistics with its Risk Manager Mobile app, which helps organizations develop risk maps, conduct audits, deliver risk profiles, and perform governance, risk and compliance analysis.

Risk managers who use these should still be careful, however. Even the most risk-conscious companies may be challenged by the world of mobile apps -- a world where information security is never guaranteed.
Emily Holbrook is the founder of Red Label Writing, LLC, a writing, editing and content strategy firm catering to insurance and risk management businesses and publications, and a former editor of Risk Management.