Seasonal Apps May Be Risky –
Tis the season to be jolly, but when it comes to app security during the holidays, it might not be all smiles and cheer. While the holiday season can be a fun time to explore seasonal apps, security is not always at the forefront. As mobile devices and apps are increasingly being used in the workplace, holiday apps can have potentially have negative implications for an enterprise environment. Insecure apps often make their way onto work devices, seasonal apps are no exception.
For example, because these apps are seasonal, users tend to download them, use them for only a few weeks, then forget about them and fail to delete the app. Since these apps don’t receive updates, security improvements or bug patches don’t get updated until the next holiday season, making it easier for cyber criminals to exploit undetected app vulnerabilities to steal sensitive corporate and private data stored on the device.
Overall, some of the popular app categories that see spikes during the holiday season include holiday fun, shopping, holiday cards, and donation apps. The Appthority Enterprise Mobile Threat Team decided to take a look at some popular apps used during the holiday season. We made a list, checked it twice, and found out which apps are naughty or nice.
Holiday Fun Apps –
Elf Yourself, which allows users to “elf” themselves and become the stars of a personalized video, spikes in downloads inside the enterprise during the holiday season. The major flaw with this app is that is discloses file paths to the source code, meaning it is easy to find information about the developer and their development environment.
In the example below, through the coding of the app, we were able to identify the software developer. In just a few minutes, we were then able to find personal information on the developer, including their LinkedIn and other social network profiles.
“file”: “Payload/Elf Yourself.app/Elf Yourself”,
If these developers are using apps that handle sensitive corporate data, this could give attackers insight on how to attack, or present an opportunity to use social engineering to target phishing attacks. This app is naughty!
Shopping Apps –
During the holidays, many people use shopping apps to help make sure that everything is under the tree come Christmas morning. However, shopping apps like: ShopSavvy, Shop Advisor, Amazon, and Walmart, all show signs of risky behaviors – they’re naughty apps! The apps operate in the background, even when not in use. While Shop Advisor and Amazon both encrypt PII (Personally Identifiable Information), ShopSavvy and Walmart transmit PII without encryption. Given the financial information included in app transactions (personal and corporate payment information), encryption is of critical importance.
Holiday Card Apps –
One great way to spread holiday cheer is to send your co-workers a digital holiday card. But apps like SomeEcards, JustWink, and 123Greetings all send personal data to third parties like ad and social networks. 123Greetings in particular found a lump of coal in its stocking, this app requests a lot of access on the device, such as the address book, permission to place calls, and the ability to send SMS messages. However, Got Free Cards made the nice list for not collecting lots of user information and not doing much other than sharing some data with ad networks.
Donation Apps –
The holiday season is a great time for giving back, apps can make it easy to find good causes and make donations a simple and easy task. Just like mobile shopping, donation apps can be risky if they do not handle financial information correctly. Thankfully, the One Today app made our nice list! This app got it right, it is not too obtrusive and it implements encryption, allowing the app to securely handle the influx of traffic around the holidays.
So this season, have fun with your holiday apps but don’t forget about app security – before spring rolls around be sure you’ve deleted all those seasonal apps and from the Appthority family to yours, Happy Holidays and a great New Year!