Though fun and even useful, free apps can pose security risks to your users and your business
The old adage “there’s no such thing as a free lunch” has more than a kernel of truth to it when it comes to free applications. Free apps seem harmless, and they’re very tempting. Who doesn’t want a free version of Angry Birds? What’s wrong with a free banking app from your credit card company? But even if the app itself is legitimate and thoroughly vetted, it can still pose a security risk to the device it’s running on. Free apps are more dangerous to your employees and your network than they appear at first glance.
People can easily download a wide range of free apps for their smartphones and tablets as well as for your company’s computers. From wildly popular games like Angry Birds Space (which was downloaded three million times in only three days) to fitness trackers and social media tools, there’s a free app for anything anyone would want to do on his or her mobile device. Likewise, the Internet is teeming with free apps to customize desktops and work more easily. But the problem with free is that the program use is almost always paid for through advertising or information gathering—and it’s in those aspects where the danger often lies.
Apple’s App Store and the Google Play Store do generally check each program before it’s offered for download for viruses and malicious intent. But they don’t vet the ads for malicious behavior. And because so many different ads might stream from one server to any particular app, the stores’ trawlers can’t reveal all of the different security threats that might infiltrate a system through the ads. For instance, an ad could point to a malicious website or have a virus attached to it or deposit some malware onto a device. In fact, those streaming ads offer hackers a great way to get around the marketplace controls.
If the “free to use” payment doesn’t come in the form of ad streaming, then it’s likely to come through back-end data collection. A free app could be collecting data about the user or even business data or activities on the user’s smartphone or computer. Some data collection is straightforward. Users fill in their contact information, which will be used for marketing purposes, and then is allowed to download the app. But other data collection can happen without the user’s knowledge through an app running in the background, capturing information like credit card numbers, addresses, phone numbers, and other information useful in the pursuit of identity theft or account access. Also, spyware has been discovered that captures information without the user’s knowledge, such as from a salesforce.com client or an online banking site.
It takes just one download to impact a network
Just one person needs to download one bad app to wreak havoc on your network. If a compromised smartphone connects to your local network, that compromise can spread across your business systems rapidly.
Even though many of these free apps are downloaded to personal devices like iPhones and Android-based smartphones, you can still take some steps to protect your business from them. The first step is education. Make sure employees are aware of the possible risks posed by free apps and understand how to spot potentially malicious software. Teach employees to avoid downloading free apps as much as possible; and, when it’s not, to ask what’s the intent of the app and how does it profit the creator. Some apps truly are free and harmless. But if you can’t tell how the developer is making money from it, it’s best not to download. Also, encourage employees to check out an app’s reviews before downloading it, if only to make sure they’re not among the first 1,000 test subjects.
The second step is to install security software on employees’ smartphones (or to require they install it in order to connect to your network) that will help protect against mobile malware and viruses. For instance, install a monitoring tool like Lookout Mobile Security that checks apps for viruses and possible privacy and security issues. A monitoring tool may also look for apps running in the background and abnormal activity.
The third step is to use web and content filtering technologies, such as those in the Cisco ASA 5500 Series Adaptive Security Appliances, on your network. A security appliance like the ASA 5500 Series is generally chosen to protect the local network, but it also provides an indirect yet effective way of guarding against security threats that might come through or to the employees’ personal devices. Filters can block users on personal devices from visiting known malicious sites as well as block undesired or malicious types of content from your network and to the device. Consider also separating your network into virtual LANs (VLANs), so different types of traffic or access are isolated from other types of traffic. (See this post to learn more about using VLANs on the small business network.)
More and more employees are bringing their own devices to work, and, inevitably, they will download and install free apps on them. In the end, the goal for small businesses is finding a reasonable way to allow those users access to your network with their own devices. As the Cisco 2011 Annual Security Report states, companies and their employees must find common ground, “with the company recognizing the individual’s need to use the device of his or her choice and the worker understanding that the company must do whatever is necessary to enforce its security policy.” For some small businesses, that might mean banning free apps from employees’ smartphones, tablets, and computers that connect to their network.
What is your company’s policy about downloading and installing free apps on devices on your network?
If you’re interested in reading more, check out these related posts: