mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

After a very public data breach and exposure of app vulnerabilities, Equifax recently took down its mobile apps from the Google Play and Apple App stores. While Equifax has provided information about which users are affected by the breach and compensated them with a year of premium services, the impact of the breach on enterprises and how we can prevent such situations from happening again is unclear. The situation also makes us question the security of other credit reporting apps.

While affected individuals view their Social Security Number (SSN) as the information that matters the most related to the breach, Appthority would like to emphasize that there can be other corporate data sitting alongside individual personal information. For instance, location and WiFi information are other types of data Equifax is accessing on user devices which is very likely to be accessible by adversaries together with individuals’ SSNs and credit information. With our dynamic Mobile Threat Protection (MTP) engine, Appthority has visibility into this data access and transfer as well as how many enterprises are affected by the breach.

The following two tables show the four popular credit-reporting apps with their risk scores* and associated threat indicators on Android and iOS platforms. As you can see, Equifax is the only app with a risk score of 7 (out of 10 with 10 being the highest risk) associated with sending sensitive data unencrypted. Although other credit reporting apps make unencrypted connections, no sensitive data is sent via these unencrypted connections. Thus, they are scored 6, a bit lower than that of Equifax.

Android

App Name Package Name Version No Org % Risk Score Score Driver
Equifax com.equifax 1.8 9.6 7 Sends Sensitive Data Unencrypted
Experian com.experian.android 2.0.1 5.8 6 Has Permission to Place Calls
TransUnion com.transunion.TransUnion 3.4.0 3.8 6 Has Permission to Place Calls
Credit Karma com.creditkarma.mobile 4.12.2 11.5 6 Sends Data Unencrypted

iOS

App Name Package Name Version No Org % Risk Score Score Driver
Equifax com.equifax.Equifax-Mobile 3.5 19.2 6 Sends Data Unencrypted,

Accesses User Location

Experian com.experian.experianapp 2.0.2 19.2 6 Accesses Address Book,

Accesses Camera,

Accesses User Location

TransUnion TransUnion 3.4.1 17.3 6 Accesses User Location
Credit Karma com.creditkarma.mobile 4.16 32.7 6 Accesses Camera,

Sends Device Name,

Accesses User Location

We notice location, IMEI and camera access from other credit reporting apps, collecting data that can be leaked if there are breaches of these companies. Note that while there may be legitimate reasons for accessing these data, security-focused enterprises should proactively manage this access and mitigate it as necessary. For instance, all of the credit reporting apps include code for accessing location. While some of them include the reasons behind this behaviour in their privacy policies (such as to guess what state the user is in), the location of employees is valuable enterprise information.

Similarly, although credit reporting apps ask for phone call permissions so that users can make in-app calls to their customer service centers, this kind of permission request poses a security risk to enterprises because it can lead to eavesdropping. Our data also shows that Equifax is a fairly popular app among enterprise employees, affecting 9.6% and 19.2% of our enterprises on Android and iOS respectively.

One thing to note about the percentage of organizations with the apps present: enterprise users are more likely to use an iOS device than an Android one. These numbers do not measure the popularity of apps by platform, but reflect the real world environments with more iOS devices, and are not meant to imply that iOS users are more likely to have a credit monitoring app.

WHAT TO DO NOW

Unfortunately, we have been seeing an increased number of apps with risky behaviours, such as sending sensitive data unencrypted, like Equifax exhibits in our enterprise environments. The chart below shows, starting in about 2015, an increasing trend of apps sending sensitive data unencrypted in enterprise environments. It is only a matter of time before another app, web or mobile, will contribute to another data breach or compromise. Thus, instead of allowing apps to access and transfer Personally Identifiable Information (PII), enterprises should take a proactive approach in managing these apps. Appthority’s Mobile Threat Protection (MTP) provides visibility into these data transfers and risks.

Number of apps that send sensitive data unencrypted

Enterprises can use Appthority risk scores for choosing or recommending apps for employees. In this case, Equifax may not have been the employee’s’ choice if they knew it had a higher risk score than other credit reporting apps.

Last but not least, when a breach happens, enterprises should have visibility into how many and which of their employees are affected in order to remediate effectively. For instance, an enterprise should know whether its CEO’s location information is potentially part of the Equifax data breach. This kind of risk management can be accomplished with Appthority’s Mobile Threat Protection (MTP).


* Notes on scoring – Appthority assigns risk score of 6-7 for apps with data leakage related behaviours: 6 for apps accessing or sending Personally Identifiable Information (PII) and 7 for apps sending enterprise related information, such as calendar and address book. We also include the apps with phone call permissions and SMS sending capabilities in this category, since they are also making outbound communications potentially leading to data leakage. The purpose of our risk scores and risk drivers is to increase the visibility of mobile risks and help security conscious enterprises manage them more effectively.

Back