The Grey Area in App Behaviors: It’s Not Malware, But It’s Still a Concern

Beyond the glitzy hardware and the mind-blowing specs of your smartphone and tablet, the real factor for determining functionality comes from the apps. Most apps are not out do harmful things, but some are.

Malware, by definition, are apps that are out to do subversive and often harmful things. They are operating on a hidden agenda of the attacker’s design. There’s no question that malware is something that must be prevented as part of an enterprise mobile security strategy.

One challenge here is that some app behaviors are not so easily defined. There’s a range of behaviors that fall into a grey zone, because they make use of personal data in unexpected ways. Many apps access information about the mobile device, the user, app data, location, and contacts, sometimes for purposes unknown because the app doesn’t even need the information. With all the network services available via a mobile device, that also means this data can be sent to third parties as well.

In many cases, there are a few reasons for these activities, including ambivalence about the permissions granted to an app and the growing use of third party mobile ad network libraries. In the former, the permissions granted come as a result of the click-through presented to users when they install an app. Most users do not pay close attention to what these permissions do or why they’re necessary, they just want to use the app.

Many app developers use mobile ad networks to create a source of income for apps that are otherwise very cheap or free. These ad networks sometimes take very aggressive measures to collect user information. We have seen these ad networks used for the delivery of malicious code as well.

Thus, we have a growing grey area of apps that may not be malicious in the same vein as malware, but could aggressively collect end user information often without the user’s knowledge. This presents a set of dangerous conditions because the user isn’t fully aware of what’s happening, the data is being shared outside of the context of the device, and there’s no transparency on what’s happening with the data once it leaves the device.

These conditions create a large, undefined problem space: what are apps trying to do with your data and do you know about it? Researchers from Carnegie Mellon University have sought to address this issue by grading apps based on metrics for privacy concerns. The results are interesting, because they do shine light on just how many issues exist, and how even very popular apps are not as straightforward as they might appear to be.

The article does call attention to the prevalence of issues in apps targeted at children. I suspect this is largely to do with the economics of children’s apps, as the casual games market typically relies on free-to-play models subsidized by advertising or in-app purchases, thus introducing the third party library that performs additional data gathering.

Today, people expect to use both personal and business apps on the same device. Whether it’s a personally owned device or a corporate device, there are going to be mix of non-business apps installed on it as well. As a result, the concern over how to protect data on mobile devices becomes far more complex, as bad actors cover a gamut of privacy and security behaviors.

As your mobile security strategy evolves, consider how you will plan to address apps and threats. From one standpoint, your organization must clearly take a proactive stand to stop malware and spyware. But you should also consider protecting data from the apps that fall in this grey area: not exactly malware, but definitely a concern. This requires protecting business data and keeping it away from the other apps installed on the device. All of these efforts should be applied and tied together with network security to enforce policy.

These are all principles that underline the philosophy behind GlobalProtect, the mobile security solution from Palo Alto Networks. To learn more about GlobalProtect, visit our resources page here.