The Power of App Vetting: The First Line of Defense Against Enterprise Intruders

Third-party applications deployed within an enterprise environment can inadvertently act as gateways for attackers if not properly vetted before implementation. These applications, while essential to enterprise operations, pose unique security challenges when their vulnerabilities are overlooked or security assessments are neglected during the procurement and deployment process.

Malicious applications and Potentially Unwanted Programs (PUPs) often serve as prime examples of how external apps can become enablers of sophisticated attacks. However, third-party applications adopted for internal use can present an even more significant risk when they might inadvertently expose sensitive enterprise systems.

1. Data Leakage as an Attack Vector: When these external applications are not designed with secure data handling practices, they can unintentionally leak sensitive information such as credentials, tokens, or other secrets. This can happen through a variety of vectors such as: insecure local storage, missing or badly applied cryptography, insecure communications, misconfigured cloud storage, etc. Attackers can exploit this information to infiltrate not just individual devices but an entire organizational infrastructure.
2. Privilege Escalation: Third-party apps may contain insecure code capable of escalating privileges on a device or modifying the behavior of critical system components. Such vulnerabilities can compromise not only the device but might also lead to exploitation of connected enterprise systems.

These risks highlight the importance of implementing robust app vetting processes before deployment—commonly referred to as vendor security assessment. By prioritizing proactive security evaluations and emphasizing thorough assessment of external applications, organizations can strengthen their first line of defense against potential threats. This approach is critical in ensuring that third-party applications enhance enterprise productivity without compromising security.

Why Proper Application Vetting Can Reduce the Attack Surface for Third-Party Apps

Applications installed within enterprises (but not developed by them) may interact with many services and generally expose a variety of information, creating potential security vulnerabilities.

Exploitable Information in Non-Properly Vetted Third-Party Apps

1. Hardcoded Secrets

• API Keys: Embedded keys in vendor applications can grant unauthorized access to internal or external services.
• Database Credentials: Hardcoded credentials provide attackers direct access to sensitive databases.
• Encryption Keys: Exposure of these keys can allow attackers to decrypt sensitive data.

2. Unsecured Tokens and Session IDs

• Authentication Tokens: Leaking tokens can enable attackers to impersonate legitimate users.
• Session Identifiers: Poorly protected session IDs can facilitate session hijacking.

3. Insecure Configuration Data

• Environment Variables: Leaked configurations can reveal server details or access settings.
• Debugging Information: Debug logs or symbols left in production code can expose sensitive implementation details.

4. User Credentials and Personal Information

• Plaintext Passwords: Third-party apps storing passwords in plaintext increases the risk of compromise if accessed.
• Personally Identifiable Information (PII): Exposure of user data such as email addresses, phone numbers, or social security numbers can lead to compliance issues and phishing attacks.

5. Access to Internal APIs

• Endpoints for Sensitive Operations: Unsecured APIs can allow unauthorized actions like financial transactions or system reconfigurations.
• Exposed Internal Services: APIs designed for internal use but exposed externally can give attackers insights into enterprise infrastructure.

6. Log Files and Debugging Data

• Verbose Error Messages: Revealing stack traces or internal system paths in errors can guide attackers.
• Activity Logs: Logs may contain sensitive operation details or user behavior patterns that can be exploited.

7. Sensitive Enterprise Data

• Internal Documents: Embedded documents or files may expose corporate strategies or confidential information.
• Financial Records: Unsecured financial data could lead to fraud or blackmail attempts.

8. System and Network Information

• Device Metadata: Information about the operating system, version, or installed applications can assist attackers in crafting exploits.
• Network Configurations: Revealing IP addresses, domain names, or VPN settings provides attackers a map of the corporate network.

9. Third-Party Service Integrations

• Access to Cloud Resources: Misconfigured integrations with services like AWS, Azure, or Google Cloud can expose infrastructure.
• OAuth Tokens: Leaking tokens for third-party applications can allow attackers to exploit additional services connected to the app.

10. Mobile-Specific Vulnerabilities

• Permission Overreach: Third-party apps requesting unnecessary permissions can be used to eavesdrop, access contacts, or track locations.
• Clipboard Data: Access to clipboard contents can expose sensitive copied information like passwords or financial details.

Effective vetting of installed third-party applications must go beyond identifying surface vulnerabilities. It should ensure that:

1. Users of the App: Never come into contact with critical details, such as hardcoded credentials or sensitive configurations, either directly or indirectly through app interfaces.
2. App Analysts and Security Teams: Are able to thoroughly assess third-party applications before deployment, with proper controls for accessing sensitive information during testing or analysis.
3. Other Apps on the Device: Are unable to access or intercept data through shared resources, such as unsecured storage or inter-process communication channels.

Comprehensive vetting processes for third-party applications should create a closed-loop security model where sensitive data is isolated, encrypted, and accessible only by the app's intended secure components under strict conditions. This ensures that no unintended actor—whether human or software—can interact with or exploit such information when enterprises deploy vendor applications within their environment.

The Numbers Speak: Key Exposures in Third-Party Application Vetting

At Zimperium, over the past year we have vetted a significant number of third-party applications through our comprehensive app vetting processes. Our process compares apps against several standards and best practices such as MASVS besides our pool of specific detections. In 2024 we have revealed concerning trends regarding several aspects of third-party applications. These findings highlight the critical need for enterprises to prioritize proper security assessment of apps they install:

1. Sensitive Information Exposure

• Users of the App: 3% of flagged third-party apps had exposed sensitive data directly through UI elements or error messages.
• App Analysts and Security Teams: 2% of vetted third-party apps contained insecure debugging tools or logs, leaking critical details like API keys, tokens, or credentials during testing.
• Other Apps on the Device: 3% of vetted external apps demonstrated insecure storage or shared resource usage, making sensitive data accessible to other applications on the same device.

2. Malicious Applications

• 3% of all third-party apps vetted were categorized as malicious, actively exploiting vulnerabilities or leaking sensitive information intentionally.

3. Potentially Unwanted Programs (PUPs)

• 8% of external apps fell into the PUP category, with behavior ranging from excessive permission requests to inadvertent data leakage that could enable attackers.

These percentages imply that the sheer number of applications involved creates a vast attack surface, not to mention the number of new third-party apps being introduced into enterprise environments. Many enterprises utilize multiple external applications, each with its own potential vulnerabilities, further increasing the potential for exposure.

These statistics underline the importance of vetting third-party applications, not just as a precaution but as a strategic imperative for enterprises. Without proper security assessment measures for installed applications, the potential for sensitive data leakage—whether intentional or accidental—can directly impact organizational integrity, customer trust, and regulatory compliance.

In the next couple of weeks, we’ll release a series of blog posts emphasizing the need of proper third party application vetting by showing data from real analyzed applications. Stay tuned!