mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

A recent advancement in crash reporting SDKs enables developers to record in-app screens, so that they know the exact state of an app before it crashes. This opens up doors for new exploits in enterprise mobile environments, as third-parties are increasingly recording mobile screens for debugging purpose and sending them back to external servers.

Poor developer practices may lead to unintended recording of sensitive data

User information and sensitive fields, such as passwords and credit cards, are recorded from users’ mobile screens by these SDKs, unless developers proactively flag them during app development according to developer guidelines from Appsee and Testfairy. Unfortunately, there has already been a privacy incident, where user zip code information was recorded and sent back to servers without the users’ acknowledgment.

Prevalence of Mobile Apps with Screen Recording Capabilities on Enterprise Devices

Appthority found that several apps with this screen capturing ability can also open corporate documents, as shown in the following table. This increases the risk of corporate documents being leaked to third-parties, where enterprises can’t exercise control.

No of Apps with AppSee SDK No of Apps with TestFairy SDK
Can Open MS Word

33

19

Can Open MS Excel

13

0

Can Open MS PowerPoint

13

0

Can Open PDF

142

32

 

Top 5 Apps with Access to Corporate Documents and Screen Recording Ability

Application Name Package Name File_hash
AutoCAD com.autodesk.autocadws 8690f08631491748c3a84a116415d538
Speechify- #1 Natural Voices com.cliffweitzman.speechifyMobile2 e0f83bd2c32675e5fb2ca3d02aeb5f75
ChartSpan com.chartspan.chartspanapp 68ac663dcd257839e93012fa4a305127
ItsMyChild com.pcus.itsmychild 142f1250776467868ed57f06aa1b9585
Speechify: Text to Speech OCR com.cliffweitzman.speechifyMobile2 77140786310e7eef3b7a04d9859c533f

 

Enterprise visibility into apps with access to corporate data

In addition to the above apps with access to corporate documents and screen recording capability, enterprise security teams should pay extra attention to these types of apps with access to other corporate data, such as address books and calendar information.

We encourage developers using debugging tools to follow best practices in order to keep their users privacy safe. Companies who record user behavior should do their best to use private clouds, use corporate Single Sign On to access online services, hide sensitive data on the SDK level, and most importantly include a clear statement in their terms of service explaining users how data is being handled, and how to request to delete user information.

Appthority customers can use a combination of these Threat Indicators to identify risky behaviors in managed public and private apps:

  • Capture Screenshots
  • Uses AppSee SDK
  • Uses TestFairy SDK

Non-compliant apps should be removed from the enterprise mobile environment to avoid the risk of corporate data leakage.

 

Back