Let’s talk about the top 3 hidden threats inside workplace or enterprise mobile apps. The work from home (WFH) trend and increased use of personal mobile devices, known as BYOD or “Zero Trust” devices, combined with the growth in workplace apps have opened the door for a new variety of mobile threats to emerge quickly. Enterprise IT, security and developers of workplace apps are just now wrestling with ways to protect against these emerging threats.
It’s probably worth saying that these threats aren’t really that “hidden.” They are the “modern threats” that face workplace and enterprise apps and users of workplace apps, and they are often not very well understood. These threats can’t be solved by Unified Endpoint Management (UEM), Mobile Application Management (MAM) or Identity Access Management (IAM) models. To adequately protect mobile work and the mobile workforce against these threats, requires a new level of protection. Let’s jump in..
Why Cyber-Criminals Target Workplace & Enterprise Apps
Mobile apps are on a dramatic rise in the workplace. The new realities of the modern workplace, necessitated by the pandemic, have provided the perfect storm for mobile app usage and growth to explode. Not only are mobile apps at the center stage of daily work and personal life, but the diversity of mobile apps work has also proliferated. We love our mobile apps and we use lots of them, both at work and at home.
Workplace and enterprise apps sit at the intersection of multiple intertwined and highly regulated functional and operational part of every business. These mobile apps connect to critical systems of record (CRM, BI, HR, HCM, Finance, etc.), each of which involves the handling and storage of highly sensitive financial data, personally identifiable information (PII), and HR-related information, product or customer data and more. Because of this, corporate IT end-users often assume that the workplace apps are protected from malware and other in-app exploits. They are not.
Cyber-security objectives for mobile apps in the workplace or in the enterprise often focus on business data protection and access control to business networks and protected resources. However, new threats to the way we use apps for work are forcing enterprise IT, security, and the mobile workforce to recalibrate their mobile app cybersecurity objectives to protect the worker, the work, and business resources all in one. Here’s why…
#1 Malware Hidden Inside Fake Workplace Apps
Let’s say your workplace tells you “Bobby, here at ABC company we use Adobe Reader or Microsoft Word.” That sounds ok and it is. So, you go to the web or the app store and download those apps. But, what if – instead of downloading the real app – the app you download was a clone or fake version of the app you needed for work. It even looked and behaved just like the real workplace app. Inside this fake workplace app was hidden malware that was programmed to find and attack other apps that you have running on your device. This happened last year when EventBot was discovered. EventBot hid inside Adobe and Microsoft Word apps and, once installed, harvested user names and passwords of 1000s of mobile banks. This year, we saw the same thing with MailChimp and there are several other examples of malicious Trojan apps masquerading as utility apps like calculators, battery life extenders, and system update apps, you name it. In all cases, the user thinks they are downloading a legitimate workplace app, but they are actually downloading a fake replica of an app that has been “weaponized” to carry out malicious activities against them. To prevent your workplace app from becoming a Trojan for malware, I recommend at a minimum investing in anti-tampering, anti-repackaging protections for your workplace app.
#2 Weaponized Enterprise or Workplace Apps
Long before a cyber-attack occurs, cybercriminals will do a ton of research to understand how a mobile app functions, for example by decompiling the app to analyze the source code and application logic (aka static analysis), or by running the app in a controlled environment and observing how the app behaves and how it interacts with the OS and anything that connects to it (aka dynamic analysis). And yet another class of tools and frameworks take dynamic analysis a step further by hooking into the app, instrumenting it, changing the app’s behavior, and injecting malicious code while the app is running. Cybercriminals use powerful dynamic instrumentation tools like Frida to hook into applications, connect to running processes and deliver malware by injecting custom JavaScript or other code into a running application. This allows the attacker to change the app’s behavior to carry out malicious functions. For example, they might repurpose (aka weaponize) the app to launch a credential stuffing attack against any of the enterprise endpoints or server addresses it finds stored inside the app, using brute force techniques to gain access. Better yet, if the cyber-criminal could socially engineer the employee’s password, they could merely use the app itself to carry out the attack, impersonating the legitimate user. Ideally, the best defense against this class of attack is to prevent the app from being weaponized in the first place. That entails protecting apps against static and dynamic reverse engineering, including anti-tampering, anti-debugging, preventing static binary patching, and validating checksums. Of course, if your app has already been reverse engineered, you can prevent the use of the ‘go to’ tools that hackers use to carry out and scale their automated attacks, including preventing ADB misuse, preventing Frida and preventing the use of the workplace app with emulators.
#3 Workplace Apps Open Backdoors on Zero Trust Devices
In Enterprise IT and security, you’ll hear a lot of talk about the threats of BYOD and “Zero Trust” mobile devices. However, one of the key things to remember with Zero-Trust mobile devices is that malware is likely to be on the device before the workplace app is installed. That malware is designed to scan the mobile device for workplace apps and, if designed properly, could insert malicious permission requests during the set-up process of a workplace app.
Or the malware might run in the background and monitor the user’s actions when installing or setting up the workplace apps, looking for unprotected network connections or logging keystrokes, or invoking a screen overlay, all to extract data from the mobile workforce as they use the app. Your IAM and UEM/MAM systems will not protect your app against these threats. To properly defend against this class of threat requires in-app protections such as overlay prevention, keylogger prevention, preventing abuse of accessibility services, and more. Developers of workplace apps should also consider more traditional workplace app defenses such as jailbreak/root prevention, mobile app Data Encryption, and extend the encryption protection to secure and safeguard all API data (keys, secrets, URLs, tokens, etc.) stored in the code of the app, as well as encrypting data in Preferences in iOS apps, and shared preferences in Android apps. Adding these in-app protections will help you safeguard mobile user privacy and protect the confidential data of the employee and employer alike.
Conclusion
Protecting workplace apps against the new and emerging dynamic and multi-dimensional class of threats requires a new approach. Enterprise IT, security, and developers of enterprise apps need to approach the problem of securing workplace apps in a way that matches the dramatically altered work patterns of the modern workplace – where mobile is the primary way work gets done and the organization has little control over the environment. Employees also expect and demand that the apps they use for work protect not only corporate data, but also their own personal data. At the same time, the developers and enterprises also need to think about the threat landscape from multiple dimensions, to match the ways that threats are carried out. This means protecting apps both against weaponization, as well as protecting apps from being the targets of apps that are weaponized.
If you’re interested in learning how you can immediately step up your mobile app security game to the next level, drop me a line and I’d be happy to show you exactly how you can protect your apps – all without changing the way you build apps today.
Reach out for a live demo.
Request a Demo
