Symantec Mobile Threat Defense: Reducing Risky App Threats with Robust App Vetting

In the last few months, our research team at Symantec’s Modern OS Security unit has uncovered various, widely-used apps in enterprise environments that are commonly believed to be safe but have given us much reason to think otherwise. We revealed that hundreds of iOS and Android apps, including several used by enterprises on a daily basis, were leaking sensitive data and asking for excessive permission to users’ email and cloud storage. It’s not news that among the top mobile security challenges that enterprises face today are risky apps. The problem is that, beyond apps containing malware or malicious behavior, more and more of the risk is coming from trusted apps that inadvertently leak sensitive corporate data.

These risky apps, however secure they are perceived to be, contain security flaws that can be exploited by malicious actors, resulting in credential theft, financial loss, ransomware, and privacy violations, among other risks. Mobile malware captures the big headlines in the media, but the reality is that although malicious apps pose a threat with severe consequences, enterprises do not encounter malware apps as often as they do vulnerable apps. While mobile threat defense (MTD) solutions are generally focused on detecting and protecting against malicious apps, they leave much to be desired in terms of addressing the more common risky or unwanted behavior in apps.

To cover this gap, Symantec acquired Appthority at the end of 2018, equipping our market-leading MTD solution, Symantec Endpoint Protect Mobile (SEP Mobile), with best-of-breed Mobile Application Reputation Service (MARS) capabilities. Since then, Appthority’s technology has been baked into SEP Mobile, giving our customers the most complete and robust defense against all mobile attack vectors including: physical, malware, network, content, OS vulnerabilities and risky apps. Appthority’s technology is a key addition to Symantec, helping to deliver on our promise of comprehensive mobile security that combines the best of MARS and MTD, to improve organizations’ overall security posture.

Non-malware app risks

Organizations that focus solely on protection from malware (malicious apps) are turning a blind eye to the considerable threat coming from risky apps that are not blatantly designed with malicious intent. As noted by Appthority research, “Malware is just the visible tip of the iceberg atop a vast and growing array of mobile app threats that pose significant and costly data exposure, data exfiltration, privacy and compliance risks.” In fact, as Apple and Google take substantial measures to keep malicious apps out of their app stores, research shows that non-malware app risks are far more prevalent than malware. Apps with unsafe behavior, such as data leakage or communication with suspicious websites, are not flagged by app stores, making it more likely that mobile users will engage with them.

It doesn’t help that among these risky apps are business apps that are widely-used and trusted by organizations. Employees rely on these apps for work, believing their data is secure, when in fact data may unknowingly be exposed to malicious actors. Our research found that more than half of enterprise mobile devices have apps that fail to protect users’ highly sensitive data in the cloud. Gartner corroborates the risk, pointing out that that nearly 1 out of every 5 business and industry apps leaks personally identifiable information (PII).

The breadth of data that is left unprotected by enterprise apps or apps frequently used in enterprise is startling. Not only is sensitive data exposed by poorly built apps on-device, it is also exposed in apps’ back-end data stores.  As part of our ongoing HospitalGown vulnerability research, we found that hundreds of apps in the App Store and Google Play allow broad access to user data stored in Amazon S3 – access that goes far beyond the scope of what is needed by these apps. Out of all the instances where we detected AWS credentials in an app, 46% of the time we were able to access all Amazon S3 data buckets for the account without even requiring a username or password. To reiterate, the sensitive corporate data leaked by these apps was left world readable. With little to no protection over this data, attackers could read, modify, ransom, and delete files in a bucket. Data that could be accessed includes medical claims, algorithms, legal documents, invoices, compliance records, CRM data, BI/analytics, AWS data, logs and backups. Overall, our research reveals that 41% of enterprises have an app installed that allows unrestricted Amazon S3 access, putting massive amounts of corporate data at risk of exposure. SEP Mobile can test apps, and their backends, for vulnerabilities, at scale - something no other MTD solution can do.

Why enterprises should care about app analysis

App vulnerabilities such as HospitalGown mentioned above are often harder to detect than malware, requiring advanced, deep analysis. This includes, for example:

• Static analysis – examining the app code
• Dynamic analysis – looking at how the app behaves at run time in a monitored sandbox
• Backend analysis – looking at app traffic to identify what data is transferred, how it is secured, and where it is going
• Monitoring the security of each back-end server that an app communicates with

Analysis should be continuous and automated, extending to every new and old version of an app, on every device in a mobile environment, and across various app stores globally. Solutions that only conduct app analysis in an on-demand manner are insufficient for protecting enterprise data at scale because: they do not cover multiple versions of a given app in an environment, they do not perform real-time and up-to-date risk assessments, and they do not have the backend infrastructure required to analyze massive amounts of apps and app versions.

Advanced, enterprise-grade app analysis is crucial for capturing a range of risks such as poor encryption, malicious behavior, data exposure vulnerabilities in code, and security compliance violations on a large scale. Without such analysis, vulnerabilities can go undetected for months or years, increasing the risk of a costly data breach.

Robust enterprise-grade app vetting

SEP Mobile’s integration of Appthority’s powerful app analysis engine gives customers the ability to protect their data from threats across the entire app risk landscape including malicious code, data vulnerabilities, code vulnerabilities, and suspicious/unwanted behaviors.

The analysis engine determines an app’s risk by looking at various factors including its behavior, communications, and standards violations. A sample of the threat indicators we look at includes:

• Apps trying to install additional apps
• Apps trying to record users’ screens
• Vulnerabilities such as HospitalGown or misusing the Oauth authorization protocol to request excessive permissions
• Apps leaking any information
• Apps trying to access unwanted and/or malicious content (gambling, phishing, illegal, etc.)
• Apps violating app security or privacy regulations such as OWASP, GDPR, and HIPAA

What differentiates our app analysis from others on the market is the scale and depth at which it occurs. For an organization with thousands of employees, the number of unique apps in their environment at any given time can reach the tens of thousands. Automated app analysis at this scale is difficult for other vendors to replicate, especially considering that we don’t only monitor all of the different apps in each organization, but also the different app versions installed across employee devices. Furthermore, the list of active apps is very dynamic, and changes on an hourly basis. This list includes free apps and paid apps across a wide range of app categories.

With the Appthority acquisition, SEP Mobile gained the world’s largest and most robust app reputation database. This, together with Android app information we leverage from Symantec’s Global Intelligence Network, has allowed us to analyze app risk on employee devices that have older version apps (stale apps) or apps that have been removed from app stores but still reside on employee devices (dead apps). Other MTD vendors can not analyze stale or dead apps as the binaries are no longer available for download from the app store. This presents a huge security blindspot. In contrast, SEP Mobile with Appthority has app versions dating back to 2011, providing the broadest app security coverage.

In the SEP Mobile management console, customers get full visibility and reports about an app’s attributes including: its risk level, the permissions it requests, its vulnerable behaviors, the websites and countries it communicates with, its regulatory violations, and more.

Protection against unwanted & vulnerable apps

With Appthority’s rich app insights integrated into SEP Mobile, security teams can set an “unwanted apps” policy that is unique to their needs and unmatched in terms of the breadth, depth, and granularity of rules that can be set to flag risky apps. Admins can use the policy to mark apps exhibiting specific behaviors, such as having certain vulnerabilities or communicating with malicious or inappropriate websites, as unwanted in their environment.

Once a policy is in place, organizations can use SEP Mobile’s on-device protection actions to secure a device from any apps found to be risky or in violation of the corporate security and privacy policy. Upon the completion of deep analysis (this happens automatically for every app, every version, on every device), any policy-violating apps can, for example, be quarantined or removed from an Android device. On iOS devices, access to sensitive corporate resources can be blocked if an app is found to violate the compliance policy, thereby ensuring that sensitive data does not leave the device.

Additionally, admins can assign a risk level and classification to app conditions in the unwanted apps policy. The risk level can be leveraged in the mobile security compliance policy to determine device non-compliance. This helps to reduce cyber fatigue as, rather than handling each threat separately, protection and enforcement actions can be activated automatically based on device risk. Protection actions also automatically kick in according to the individual app risk.

Comprehensive enterprise mobile security

As our research shows, business apps are often developed in-house or by third-party developers who don’t always keep enterprise security top-of-mind. Further, both in-house and third-party app developers heavily leverage 3rd party SDKs (software developer kits) which introduce others’ code (and vulnerabilities) into apps. Insecure development practices can expose enterprises to critical vulnerabilities and data leakage from apps where sensitive corporate and personal information is likely to reside. This is why advanced, enterprise-level security assessments for such apps is critical. The most effective MTD solutions will have integrated MARS capabilities, giving customers the visibility and insights needed to protect against both malicious and risky apps.

With integrated Appthority technology, SEP Mobile provides enterprises protection not only against the entire gamut of app risks, but also against the broadest spectrum of threats affecting modern endpoints and operating systems. Our award-winning technology, massive threat intelligence, and extensive app reputation database provides enterprises with the most comprehensive mobile security coverage. SEP Mobile’s integration of Appthority’s technology is constantly evolving to offer more capabilities and value, strengthening our customers’ overall security posture.

Michael Bentley, research engineer at Symantec’s Modern OS Security team which includes Appthority, contributed to this article.