Securing Agency Devices: The Critical Need for Mobile App Vetting

Authors: Gary Bradt & Krishna Vishnubhotla

In today’s digital landscape, the use of mobile devices within public sector agencies has become a norm. However, when these agency-issued devices are allowed for personal use, Chief Information Security Officers (CISOs) face significant challenges in ensuring the security of these devices. A primary concern is the installation of risky public applications by employees and contractors, which can jeopardize the security and integrity of agency data. This blog will explore the various types of risky apps and the concerns they pose, emphasizing the need for stringent mobile app vetting processes.

Risky Applications and Their Concerns

1. Applications from Companies Banned by the U.S. Government
   • Concern: Spying and Disrupting U.S. Communications
   • Context: Apps developed by companies banned from U.S. government usage pose a significant threat. These applications can be used as tools for espionage, allowing adversaries to spy on government communications, intercept sensitive information, and disrupt operations. Agencies must ensure that such applications are strictly prohibited on agency-managed devices.
     
2. Third-Party File Sharing and Cloud Storage Applications
   • Concern: Unsecured Data Storage
   • Context: Third-party file sharing and cloud storage applications can create vulnerabilities by storing agency data in unsecured locations outside the organization. This can lead to unauthorized access, data breaches, and loss of sensitive information. Agencies need to implement strict policies to prevent the use of unapproved file-sharing and cloud storage apps.
     
3. Third-Party Virtual Private Networks (VPNs)
   • Concern: Data Exploitation by Foreign Adversaries
   • Context: While VPNs are essential for secure remote access, using third-party VPNs with servers in foreign adversary countries poses a risk. These VPNs can exploit data, compromising the security of agency communications. It is crucial to restrict the use of unauthorized VPNs and ensure that only approved, secure VPN services are used.

4. Outdated Third-Party Messaging Applications with Known Vulnerabilities
   • Concern: Remote Code Execution, Data Corruption, and Phishing Attacks
   • Context: Messaging applications that are outdated or have known vulnerabilities can be exploited to execute remote code, corrupt data, and facilitate phishing attacks. Agencies must ensure that any messaging apps used are up-to-date and have robust security measures in place to protect against such threats.

The Need for Stringent Mobile App Vetting

To mitigate these risks, agencies must implement stringent mobile app vetting processes. This involves:

• Regularly updating the list of approved and banned applications: Keeping an up-to-date list of applications that are permitted or prohibited based on their security profile.
• Conducting thorough security assessments: Evaluating the security posture of apps before they are allowed on agency-managed devices.
• Implementing Mobile Threat Defense (MTD) solutions: Using advanced MTD solutions to detect and prevent the installation of risky applications.
• Educating employees and contractors: Raising awareness about the risks associated with installing unapproved apps and encouraging adherence to security policies.

How can Zimperium Help

Zimperium’s automated app vetting solution, provides a comprehensive assessment of third-party apps within minutes. This assessment includes the following key pieces of information: 

• Privacy Assessment & Ratings – A privacy summary focused on the application’s access to privacy data, including (but not limited to): user data, contacts, user identifiers, adware, SMS, and insecure data storage.
• Security Assessment & Ratings – The security summary focuses on risks contained in the application. These risks include (but are not limited to): risky functionality and code use, application capabilities, critical vulnerabilities and threats.
• Malware Classification – Determines whether the app contains any malicious code patterns.
• Dangerous Permissions –  Highlights permissions that expose sensitive data and make the app vulnerable to abuse and exploitation. 
• Identify Non-Compliant Apps – Informs you whether the apps violation key industry standards such as OWASP, GDPR ,MITRE, PCI  etc. 

An assessment produces a Technical and Executive report that can be downloaded in PDF format and shared with other stakeholders.  

You can learn more about Zimperium’s Mobile App Vetting solution here.