Tag Archive for App Store

| August 13, 2015
Comments Off on Mobile Apps Leaking Your Info

Mobile Apps Leaking Your Info

Mobile Apps Leaking Your InfoJust in time for Blackhat, San Francisco-based Appthority released its Q2 2015 Enterprise Mobile Threat Report. The big headline from the Appthority report is that enterprise mobile apps are leaking your info. They are sending personally identifiable information (PII) and other sensitive information all over the world often without the enterprise’s knowledge. Your phone is leaking your info all over the web.

Appthority logoFierceMobileIT says that the Appthority Enterprise Mobile Threat Team (EMTT) collected and analyzed security and risky behaviors in three million apps. They found that the top iOS apps sent data to 92 different countries, while the top Android apps are leaking your info to 63 different countries.

Zombie apps are leaking your info

The report found another threat to all data. Appthority’s all-in-one App Risk Management service shows that 100% of enterprises surveyed have zombie apps in their environments. Zombie apps are apps that have been revoked by the app stores and are no longer getting security updates. Zombie apps can give attackers a conduit into the enterprise.

zombie appsThe report estimates that 5.2% of the Apple (AAPL) iOS apps on employee devices in an enterprise are dead apps, and 37.3% are stale Apps. On Google (GOOG) Android devices, 3.9% are dead apps and 31.8% are stale apps.

Zombie apps can leak your info. Appthority explains that malicious third parties could use a man-in-the-middle attack to hijack the update mechanism for these apps to install new malware on user devices.

Threat to the enterprise

Despite the threats, app stores run by Apple, Google, and Microsoft (MSFT) are under no regulatory obligation to tell users of revoked apps anything after release. Including copyright infringements or serious security/privacy concerns.  The report points out. Domingo Guerra, president, and co-founder of Appthority classified this as a stealthy risk; “The ongoing threat of zombie apps and stale apps continues to be an ‘under the radar’ threat to the enterprise.

programmersA third risk to the firm’s data comes from their own programmers according to the venture capital-backed Appthority. The firm says over-taxed enterprise app development teams are increasingly relying on third-party libraries and software development kits. Vulnerabilities in the third-party packages can put enterprise data at risk when they get baked into a corporate app.

The company told CSO that few mobile devices have security applications installed. In particular, only 4 percent of Android devices in use within enterprises had on-device scanning solutions.

Rb-
Firms that depend on mobile solutions as part of a Bring Your Own Device (BYOD) effort need to look after their apps as well as connectivity and hardware and data and governance and reimbursements. Bring your own device hardly seems like a cost saver to me.

I have said this repeatedly, it seems like costs are just being moved around. From spending on a PC in the office that is very less likely to be lost and that can be controlled to a bunch of new enterprise applications like EMM, mobile anti-malware to app monitoring.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| August 11, 2015
Comments Off on SmartWatches – Not Ready for Primetime

SmartWatches – Not Ready for Primetime

SmartWatches - Not Ready for PrimetimePundits predict that Apple iWatch sales will surpass iPad first-year sales. The experts expect Apple to sell 21 million watches in fiscal 2015. Many believe that the iWatch will drive wearable tech into the enterprise. With this kind of hype, security vendors have started to take a look at iWatch and other smartwatches.

wearable techFierceMobileIT reports that just in time for BlackHat, MobileIron released a report looking at the security risks smartwatches pose to corporate data. According to the enterprise mobility management firm, workers are increasingly using smartwatches to connect wirelessly to their smartphones and access corporate email, calendar, contacts, and apps.

MobileIron looked at the security of smartwatches that can be paired with iOS and Android smartphones accessing enterprise resources as well as the pairing apps on the smartphones. The author says the EMM vendor analyzed the Apple (AAPL) Watch, Motorola Moto 360, Samsung (005930) Gear 2 Neo, and Shenzhen Qini U8.

MobileIron logoThe Qini U8 had a pairing app that displayed some “suspicious behaviors” that could pose a risk to personally identifiable data such as access to downloaded and cached content and phone hardware data, judged MobileIron. The pairing app was downloaded from an unknown IP address in China and not the relative safety of the official Google Play store, which scans apps from malicious traits.

Another security concern noted in the article is the implementation of passcodes on smartwatches. Smartphone passcodes are usually time-based so that if the device is not used within a certain time period, the device is locked and access requires entering the passcode.

SmartDisck Tracywatch passcodes examined by MobileIron are proximity-based so that the device is locked when the smartwatch loses wireless connection with the smartphone. However, only the Apple Watch prompted the user to set up a passcode, suggesting that many users of the other smartwatches do not enable the passcode option.

In addition, smartwatches do not have enterprise mobility application programming interfaces to do policy enforcement on the devices. The Apple Watch stood out in terms of security by wiping enterprise apps from the device when its companion iPhone is quarantined or retired and the enterprise apps are removed from the phone.

smartwatches do not have enterprise mobility application programming interfacesIn terms of data encryption, there is no encryption on the Shenzhen Qini U8, while it is optional at the app level for the Motorola Mobility Moto 360 and the Samsung Gear 2 Neo. For the Apple Watch, encryption is enabled for the data on the watch and optional at the app level. The MobileIron report concluded, “As enterprises embrace these devices for enterprise applications …  we expect smartwatch vendors to place an even stronger emphasis on security.”

Not only has MobileIron recently scrutinized smartwatches so has HP. HP’s Fortify security unit tested 10 different smartwatches and found that all of them were vulnerable to cyberattacks.

HP (HPQ) did not say which brand of smartwatches it tested. However, FierceITSecurity reports that HP did test the devices and their Android and iOS cloud and mobile app components, indicating that the Apple Watch was one of those tested.

HP Fortify found that all the smartwatches they tested were insecure. Jason Schmitt, general manager of HP security at Fortify said

HP logo[Smartwatches] … will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks 

HP combined manual testing and automated tools to check the devices against the open web application security project’s Internet of Things Top 10 security risks. HP found that data collected on the smartwatch was often sent to multiple backend destinations (often including third parties). The researchers used HP’s Fortify on Demand to find many more smartwatch vulnerabilities (PDF, reg. req).

  • Broken watch100% tested were paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts.
  • 90% allowed watch communications to be easily intercepted.
    • 70% of the time firmware was transmitted without encryption.
    • Only 50% of tested devices offered the ability to add a screen lock (PIN or Pattern), which could hinder access if lost or stolen.
    •40% of the cloud connections were vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.

HP offered recommendations for consumers looking to use smartwatches more securely:

  1. Do not enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered (two-factor, etc).
  2. Enable passcodes to prevent unauthorized access to your data, the opening of doors, or payments on your behalf.
  3. Enable security functionality (passcodes, screen locks, two-factor, and encryption).
  4. Use strong passwords for any interface such as mobile or cloud applications associated with your watch.
  5. Do not approve any unknown pairing requests to the watch.

These security measures are also critical as smartwatches enter the workplace and are connected to corporate networks. HP recommends that enterprise technical teams:

  1. Ensure TLS implementations are configured and implemented properly.
  2. Require strong passwords to protect user accounts and sensitive data.
  3. Implement controls to prevent man-in-the-middle attacks.

rb-

As smartwatches become more mainstream, they will increasingly store more sensitive information such as health data, and enable physical access functions including unlocking cars and homes. HP’s Schmitt warns that,

Smartwatches … open the door to new threats to sensitive information and activities … vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.

All smartwatches collected some form of personal information, such as name, address, weight, gender, heart rate, and other health information. Given the account issues and weak passwords identified by MobileIron and HP, the exposure of this personal information is a concern. I am calling smartwatches not ready for prime-time.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| June 20, 2011
Comments Off on Tablet Notes

Tablet Notes

Tablet NotesiPad sold three million units in the first 80 days after its April 2010 release. Its current sales rate is about 4.5 million units per quarter, according to Bernstein Research. This sales rate is blowing past records. iPad is outselling iPhone and the DVD player, the most quickly adopted non-phone electronic product.

Apple iPad Will Fail in the Enterprise

Dell logothe Apple (AAPL) iPad would ultimately fail in the enterprise. That is what Andy Lark, Dell‘s (DELL) global head of marketing for large enterprises and public organizations told CIO Australia.

… longer term, open, capable and affordable will win, not closed, high price and proprietary [Apple has] done a really nice job, they’ve got a great product, but the challenge they’ve got is that already Android is outpacing them.

Apple is great if you’ve got a lot of money and live on an island. It’s not so great if you have to exist in a diverse, open, connected enterprise; simple things become quite complex.

Mr. Lark claimed Dell had taken an enterprise approach toward tablet PCs. This approach will ultimately give Dell an edge. Dell has a major stake in Microsoft Windows and the desktop PC market. “We’ve taken a very considered approach to tablets, given that the vast majority of our business isn’t in the consumer space,” he said.

The cost of Apple products was another deterrent to iPad deployments. Dell’s Lark claims that the economics on a fully loaded iPad did not add up. “An iPad with a keyboard, a mouse, and a case [means] you’ll be at $1500 or $1600; that’s double of what you’re paying,” he claimed. “That’s not feasible.

Despite the company’s history with Microsoft, it had embraced both Windows Phone 7 and Android operating systems “…Our strategy is multi-OS,” Lark said. “We will do Windows 7 coupled with Android Honeycomb, and we’re really excited. We think that giving people that choice is very important.

Outlook on the iPhone and iPad

Pst Mail an iPad appHelp has arrived for Apple (AAPL) iPhone and iPad owners who need access to their Microsoft (MSFT) Outlook e-mail. AppScout says users can check their email even when they don’t have an Internet connection.Pst Mail from Arrow Bit is an iPad app that provides offline access, potentially saving money on the user’s data plan. With the app, you can carry around a year’s worth of messages with you. Pst Mail can interact with the Mail app on your iPhone or iPad to reply to or forward messages. It can also open pst files created with any version of Microsoft Outlook.

AppScout says to find messages in large pst files, Pst Mail includes an advanced search feature. You can search by sender, recipient, subject text, message body, or even attachment name. You can also limit the search to a particular time frame. The developers offer a free lite version of the app in the iTunes Store, which has all the same features as the full version but is limited to the number of messages a user may open in each folder. The full version costs $9.99 in the iTunes app store.

GoToMyPC: iPad App

GoToMyPC Citrix (CTXS) has launched an Apple (AAPL) iPad version of GoToMyPC, a remote desktop application that lets you log in to your computer and control it on the go. Up until recently, you needed a PC to log in to a remote PC using the service. But the iPad app lets you do it anywhere you can get an internet connection on an iPad.

Mobilputing says GoToMyPC is hardly the first app of its type for the iPad. LogMein, TeamViewer, Parallels, and Splashtop all offer similar apps. But the GoToMyPC app has tight security features including 128-bit AES encryption, user authentication, and dual passwords, oriented for business.

Apple Sued Over Apps Giving Information to Advertisers

Apple is being sued over the collection and sharing of user data with outside companiesApple (AAPL) and Apple app developers have been sued over the collection and sharing of user data with outside companies (which I wrote about here). Two suits were filed in the Northern District of CA against the iPhone and iPad manufacturer. Apple is named in Lalo v. Apple, 10-5878.

Lalo seeks class action and claims that iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they’re used, and for how long. “Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation, and political views,” reports Bloomberg’s BusinesWeek.

According to Wired the second suit, Freeman v. Apple seeks both monetary damages and a court order to stop the profiling by app makers being sued are Pandora and Dictionary.com, Toss It, Text4Plus, The Weather Channel, Talking Tom Cat, and Pimple Popper Lite.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,