Sideloaded Applications: The Risk of Fewer Restrictions

Share this blog

Would you trust an application on your device from a third-party app store? Would you trust that same app store on the endpoints connected to your corporate infrastructure?

The premise of a third-party app store is relatively innocent on the surface, with hundreds of repositories set up to enable mobile device users to get the apps they want without some of the hurdles that may stand in their way. And beyond that, some app developers even provide direct-download options that take advantage of Sideload capabilities to bypass app store controls altogether. In the traditional endpoint space, none of these alternatives or means of access feel out of the ordinary for a conventional user.

But for mobile endpoints, it’s a different story. What happens if those apps aren’t being vetted by the official app store?

Google Android and Apple iOS devices all come pre-installed with their own app stores, filled to the brim with everything a user could want. Protected under an umbrella of processes from security scans to approvals, these applications must meet guidelines to be accepted into and available to the users of these devices. The user has increased confidence in the application itself with the trusting nod from Apple and Google (OEMs).

But outside these OEM app stores, there exist alternative means that don’t have these layers of confidence built-in. While some third-party app stores are OEM alternatives from the likes of Samsung and Huawei, most of them exist as massive app repositories for mobile endpoint users to bypass existing rules, controls, or fees to deliver their app to the masses. Available on both iOS and Android devices, these alternative app stores often act as a black market with very similar traits; the available app could be the same, or an elaborate copy and decoy, and the only way to tell is to take it apart. But as most mobile users won’t be breaking down the code of the app they just installed, these alternatives have become ripe with malicious code.

Simply put, unofficial app stores cannot be trusted. They put users, enterprises, and all the data they access at risk.

Another rising trend in the mobile application world is to offer a download directly from the developer’s website, circumventing any controls, restrictions, and management that comes with OEM-based stores. Providing instructions to users on sideloading, these direct methods have been used to deliver applications to mobile endpoints after they have been banned due to security or privacy concerns, refusing to accept established terms of service, or regional restrictions.

While most third-party app stores run through browser-accessed repositories, some have formalized their process with their own on-device app. Both approaches require a user to enable the installation of apps from unknown sources, including the browser, bypassing the standard safety checks found in OEM app stores. These unmanaged, unprotected store applications open mobile devices up to risks and vulnerabilities and sometimes are used to deliver malware directly to the user’s phone.

Circumventing the established protocols for code verification, app management, and security leave users at risk of vulnerabilities that might not have been caught during development. And while many of these developers are putting in the hard work to deliver genuine products, side-loaded applications are outside the purview of app store updates, requiring users to update manually.

Is it worth the risk?

OEM are consumer-friendly repositories with layers of local control to keep apps up to date to the latest versions and provide users with the information they need. And while many organizations rely on mobile device management for their environment, these tools lack security controls and capabilities that can keep mobile endpoints secure from all apps, no matter their origin.

In the end, the only way an IT and security team can be confident of the mobile applications connecting to their network are secure is with mobile threat defense (MTD). Securing these highly accessible devices from the risks and vulnerabilities in both OEM and third-party app stores and protecting against other common attack vectors raises the security confidence of a team while minimizing the attack surface. While users control the device in hand, the IT and security teams will have granular control to secure enterprise data.

“MTD products not only prevent attacks but also detect and remediate them. MTD focuses on identifying and thwarting malicious threats, rather than relying on device management configuration to protect against simple user mistakes.” – Gartner

While enterprises continue to adapt and expand their data accessibility with mobile devices, they need to approach the security of these endpoints with the same mindset as traditional devices. With more means of connectivity, communication, and portability, the enterprise attack vector is already stretched thin without the risk of third-party app stores. Enabling teams to stay ahead of attacks, scan and remediate risk applications, and close these security gaps keeps enterprises mobile and secure.

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebooks threats. Powered by z9, Zimperium provides protection against device, network, phishing and malicious app attacks. For more information, visit www.zimperium.com.

Richard Melick
Mobile Threat Intelligence. View the author's experience and accomplishments on LinkedIn.