Average Large Enterprise Has More Than 2,000 Unsafe Mobile Apps Installed on Employee Devices

Mobile enterprise environments increasingly targeted by embedded spyware, adware and back-doors, according to analytics from Veracode’s cloud-based security platform

BURLINGTON, Mass. — March 11, 2015 Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, today released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment. To address this challenge, Veracode has now integrated security intelligence from its cloud-based mobile application reputation service with mobile device management (MDM) solutions from all major MDM vendors, including AirWatch by VMware, MobileIron and Fiberlink, an IBM company.  

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments – across various industries including financial services, media, manufacturing and telecommunications – Veracode found 14,000 unsafe applications of which:

  • 85 percent expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
  • 37 percent perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
  • 35 percent retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections. 

According to Gartner, “Through 2015, more than 75 percent of mobile applications will fail basic security tests.”  At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices.  Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem.  As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.

Automated App Blacklisting for All Major MDM/EMM Solutions

Veracode's integration with MDM solutions reduces enterprise risk by enabling organizations to automatically enforce corporate policies on all their managed devices.  In particular, the integration allows organizations to implement policy-based controls such as automated application blacklisting. Veracode’s application reputation intelligence is continuously-updated and based on risk profiles from hundreds of thousands of mobile applications assessed using Veracode’s behavioral analysis and machine-learning technology.

“Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO. “Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments.”