By Vincent Smyth, Senior Vice President EMEA, Flexera Software
A recent research report shows that a large proportion of the over 40,000 major mobile banking apps today contain code that allow them to exhibit excessive permissions, potentially compromising banks’ data security and that of their employees and customers. However, malicious code is not the only source of risk financial institutions must worry about.
Many CIOs are not aware that many seemingly harmless mobile apps allowed onto their networks exhibit risky behaviours – like allowing access to personal and confidential information such as location of phone, details of owner, text messages and so on. These risky apps often violate banks’ Bring Your Own Device (BYOD) policies —but because the risky behaviour is unknown to the institution, enforcing the policy is impossible. An example of such an app is Flashlight, which allows a device to be used as a torch. The makers of this app secretly recorded personal user information and passed that data on to advertisers.
The threats that risky app behaviours present to banks is high as most IT teams don’t have the same insight into and control over mobile app behaviours as they do with traditional enterprise software. And without understanding what risky behaviours mobile apps are capable of and how, ensuring security is impossible and banks’ BYOD policies virtually unenforceable.
So what can banks do?
They must take a comprehensive approach to managing the mobile application lifecycle – similar to what is already undertaken in the desktop, cloud and web environments. To do this, banks must have tools and processes in place to test their own mobile apps to understand their behaviour, to identify whether any app functions may pose risks to the organisation.
Application Readiness reduces mobile apprisk
Banks have been adopting Application Readiness best practices, processes and technology to prepare enterprise apps for internal rollout – whether they’re physical, virtual, cloud or desktop or. This provides a standardised best practice method for reliably and predictably testing, packaging and deploying apps into the enterprise.
By automating these Application Readiness processes, IT has gained essential insights into application behavior that has resulted in very stable, reliable and secure application environment. These same Application Readiness processes and technology can and should be extended to testing mobile apps and app behaviours. For instance, Application Readiness tools can perform application reputation scanning, which examines app properties and configuration to determine the mobile device features that the app uses. It will then issue a report that can be used to establish policies that define which behaviours are risky. These policies can be used by the Application Readiness solution to automatically identify risky apps, allowing IT to manage them appropriately.
Identifying and effectively managing risky mobile apps not only minimises risk, but also enhances the user experience. Employees can use authorised apps with confidence, knowing they’ve been thoroughly vetted. And security officers will have greater confidence that danger has been averted by avoiding apps that exhibit risky behaviours, or by eliminating those risky behaviors before they’re allowed access to the corporate network.
Applying existing processes to mobile
Many banking organisations today are adding new teams to deal with mobile apps and app security. However, existing teams should have all the experience necessary. IT organisations that already leverage Application Readiness best practices and technology to safely and reliably deploy enterprise apps can easily extend these same processes for mobile apps – both externally and internally developed. And in doing so, banks will simultaneously improve operational efficiency and ensure a standardised process for deploying all applications. Adding mobile apps simply involves extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.
For instance, Application Readiness teams have already proven their ability to deal with new formats (application virtualisation) and new operating systems (Windows 8). The same teams are also likely to be involved with preparing desktop apps for mobile device access via Citrix/RDS. So using a single, standardised and consistent Application Readiness process across all enterprise applications, including mobile apps makes sense. Leveraging existing teams’ knowledge and efficiency translates into greater IT agility and lower cost in maintaining Application Readiness.
Even the most innocent mobile apps can pose tremendous risk to banks that are unaware of how their design and function can access sensitive data and, potentially, disseminate that data in violation of BYOD policies. By taking a comprehensive approach to managing the entire enterprise application lifecycle– including mobile apps – banks must leverage existing staff, expertise and technology to test mobile apps, understand their threat potential, and take appropriate measure. Importantly, all these approaches are relevant for their own apps too and must be followed with equal vigour.