Mac and iOS apps stealing user data — an enterprise take
Reports claiming numerous apps distributed through Apple’s App Store are secretly exfiltrating user data should be an alarm call to enterprise CIOs. It signals a new battlefront in the eternal enterprise security wars.
The enterprise risk of personal data
On the surface, the data being extracted is kind of … personal, such as location and browser histories. Information like that provides additional insight into what individual users are up to. Why should that concern an enterprise?
That’s a rhetorical question, of course. Most enterprise security professionals recognize that any form of data exfiltration poses an overall challenge.
The security environment is becoming increasingly complex. And criminals are getting better at combining data from multiple sources to identify targets, identify individuals, and turn this knowledge into cold hard cash.
We also know that as Apple makes its platforms more secure, criminals who still choose to target the platform are becoming much more sophisticated.
They will even pay $15 for Apple ID data, and there is a huge market in preconstructed phishing and hacking tools online. A Malwarebytes survey earlier this year claimed malware attacks on Macs climbed 270 percent in 2017.
Upgrade threat intelligence
Wickie Fung of Palo Alto Networks has warned: “Enterprises must insist on complete pervasive security visibility in their environment, including users, applications, data and threats.”
Staff must be educated about the risk of installing unapproved apps.
Enterprises must put procedures and protocols in place to protect against installation of data exfiltrating apps – in doing so, they must also recognize that users will turn to third-party apps that do things more efficiently than those the organization provides, and they should subject those apps to swift security analysis.
It is also important to check if existing threat intelligence systems are capable of identifying instances in which rogue apps are covertly stealing data.
The recently identified apps tend to parcel up the data they take to upload to remote servers – threat intelligence systems must recognize such transactions.
The risks are real
Phishing attacks are much more effective if they are precisely targeted according to user habits – and users are still the weakest link in the security chain.
Criminals understand (as did Cambridge Analytica) that the value of data extracted from multiple data stacks far outweighs that held inside any single stack. Analytics systems enable such data to be identified and weaponized.
There’s money in these practices, and the potential to find information that helps infiltrate otherwise robust computing systems, as a recent College of Behavioral & Social Sciences cybercrime study found.
Information concerning a target’s browsing habits can become a malware-infested message designed and personalized to that user, increasing the chance of successfully infecting the end user’s machine to place an exploit that becomes critical to undermining enterprise security.
While it seems way too convenient that these revelations concerning a security flaw in the App Store model emerge just as Apple prepares to announce new mobile devices, it seems unwise to dismiss them.
It is also apparent that while the news tarnishes Apple’s security model, it’s inevitable other platforms will also experience covert data grabbing through otherwise innocuous apps.
Any responsible platform developer should already be taking robust steps to protect against this, including insistence that apps maintain strict (and transparent) data protection policy, as Apple now demands.
This stuff matters. All the apps recently identified as rogue by Malwarebytes, Sudo Security, and security researcher Patrick Wardle would (I think) have been breaking the new data privacy rules Apple now insists developers follow.
Not only that, but developers of those apps would have been required to take much more responsibility for any data they chose to exfiltrate, under Apple’s new rules.
Taking such information without securing a user’s express consent is absolutely forbidden.
Apple CEO Tim Cook has often stressed the position that “privacy to us is a human right, a civil liberty.”
These days, we should all recognize that the price of protecting such rights is eternal vigilance.
Honey traps for the rest of us
The apps engaged in these practices should be seen as honey traps:
Adware Doctor, for example, promises something users want – to eradicate unwanted advertising online, but it fails to inform them that it will grab browser histories to covertly send to unknown servers based in China.
The fact that the app was one of the top apps distributed at the App Store adds another layer of risk. We’ve all learned that apps distributed through the store tend to be trustworthy. Apple must now apply much more strict security checks for any apps listed in the top 100 apps in any country at any store in future.
However, enterprise security chiefs must also educate users of this new emerging App Store risk and advise against installing any relatively obscure app on any enterprise device on any platform unless chosen from an approved list.
I mentioned gray IT: Users will use third-party solutions if they are better or easier to use than enterprise-provided apps. That means enterprise security teams must assess and verify the security of popular third-party apps used on their networks, as those apps will be used no matter how many memos are published. Best practice advice will be a far more effective response than top-down admonition against using such apps.
Keep on top of the latest security threats with the 2018 Threat Report.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. CenturyLink does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user.