Status of App (in)Security: A look at common risky behaviors in the top 400 iOS and Android Apps

Domingo Guerra

Sat, 27th September 2014


Speaker Bio 1:
Domingo Guerra @SundayWar is the President and part of the founding team at Appthority @Appthority, The Authority in App Security

Domingo has Product Design & Development experience as well as New Product Introduction & Operations experience across multiple industries. As a Mechanical Engineer for Applied Materials (Semiconductor Manufacturing Industry), he led design and development projects in the Robotics space, securing two patents and winning multiple design awards. With Program & Project Management roles at Brocade Communications (Datacenter Networking Industry), Domingo led large cross-functional matrix teams in the introduction of both hardware and software enterprise products.

Domingo holds a BS from The University of Texas at Austin, an MS from Stanford University, and an MBA from Santa Clara University.

Learning Objectives:

Domingo will explain:

  • Explore the status of the app ecosystem in terms of security and privacy.
  • Explain how security and privacy impacts organizations due to BYOD and Bring Your Own Apps.
  • The presentation will outline the difference in risky app behaviors and trends seen between free vs paid apps, iOS vs Android apps, and games vs business apps.

Resources and materials:


Questions and answers

Max, Concise Courses:
11:11 From a customer perspective, are you seeing any particular take up of your service from any particular vertical, and conversely are there any industries that you think really should be using your service?

Domingo Guerra:
Our theory when we started the company (again, we all have security backgrounds) was that healthcare and financial were going to be the two biggest verticals because they have a large compliance to factor into their IT policy. We did confirm those two verticals, but we were quite surprised that some of our biggest customers were in manufacturing, technology, automotive and oil and gas. They have a lot of corporate data, and they have a very tech savvy percentage of their workforce. A lot of their employees have smart phones that are either corporate issued or personal and can access corporate data, so they have a large BYOD problem or BYOA problem.

Some of the large financials are still heavily reliant on Blackberry, although Blackberry is dying, they are still having a large install base. As they get rid of Blackberry BYOD will increase there. The other companies that didn’t have a strong Blackberry grasp have migrated faster to iOS and Android.


Max, Concise Courses:
12:13 What’s the latest with the Android “Master Key” Vulnerability? CyanogenMod have released a full patch right?

Domingo Guerra:
So yes, for those that might not know on the call, there was a master key vulnerability on Android that allowed apps to behave in a way that they were not meant to behave and provide updates with the same signature as the previous app so the device couldn’t tell if a new app had been installed even though it might have been a malicious package. That has been fixed for Google Play but not necessarily for other App Stores. Definitely the latest operating system for Android also allows that fix to spread quicker; however, not all users are doing their upgrades. From an IT perspective, that is a priority: to always try to keep users on the latest Android version. There is a lot of documentation on Android systems and it is definitely a difficult task.

Max, Concise Courses:
In fact we actually have one of the lead researchers Jeff Forristal on the show next month discussing the vulnerability so this question is very topical.


Max, Concise Courses:
13:36 Are we not entering a safer era now because Android’s permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user?

Domingo Guerra:
Correct. We are getting better in terms of rogue or malicious apps. A lot of our discoveries are that it is not only malicious apps that we need to worry about, it is about training our users and educating our user base to not share too many permissions. Frankly, a lot of these apps are requesting for more data than they need, and with that data it is difficult to separate corporate data and personal data, because our address books and calendars have the data merged. Our email is the same as well. Apps that can read email, text messages pictures, calendars or address books always end up putting corporate data at risk at the same time.


Max, Concise Courses:
14:49 Do you have to buy each app in order to analyze them?

Domingo Guerra:
At Appthority we do have to end up purchasing those apps. We get to spread that cost around our user base. Again, we have 200 organizations that are our customers right now, and we receive many requests per day from enterprises asking about apps. The great thing is that if we have analyzed the latest version of the paid app we don’t have to re-buy every time a customer asks for it. We have hashes or static sizes, or dynamic sizes version controls of the app and twelve different parameters to make sure that it is the same binary file. It if isn’t the same binary file we just give it a score instantaneously without having to re-purchase the app.


Max, Concise Courses:
15:14 Is rooting your phone and installing a ROM more dangerous and if so what’s your recommended ROM?

Domingo Guerra:
Yes, it is more dangerous. We did a survey with our customers (about two hundred of them) and we also held a survey at theBlackHat security conference and at the AirWatch Security Conference where we have received more feedback.

One of the top concerns I hear from administrators with rooting Android devices and jail-breaking working iOS devices is that it circumvents a lot of the patching that has been done by both Apple and Google. From a vendor perspective I can’t necessarily endorse one ROM versus over another. There are some that are safer than others. The theory is that no one would be as safe as staying with a traditional Google or Apple provided operating systems.


Max, Concise Courses:
16:15 Have you noticed any changes to privacy risk with iOS 7?

Domingo Guerra:
iOS7 is interesting because it allows a ‘per-app-VPN’ which is really a great tool to strengthen your MDM [Mobile Device Management] so our customers that have an MDM are now able to say, ‘I want to grant VPN access to this app or that app.’ Unfortunately, it is a great muscle and enforcer, but [does not have] a great brain or [level of] intelligence. The customer still has to come up with a list of which apps to allow into the VPN and which ones not to.

For example, is concur [a popular app] safe enough to use as an expense management tool and can we plug it into our servers and feed financial data? That is how tools like Appthority are being used, to be able to help make that decision. Most of the advances of iOS 7 are on device security. So, the fingerprint analysis on iPhone 5S is huge because now employees can have a alpha-numeric password to be able to encrypt their device and log in quickly. However, they didn’t do too much to address App Security, it is more about device security and being able to encrypt the device.


Max, Concise Courses:
17:19 Some of the apps have access to the Corporate access book, what if the corporate access was consolidated into a secure app – would that help?

Domingo Guerra:
Absolutely. We helped our customers implement different container approaches where they are able to build containers for corporate data or keep an address book separate from the general address book. A lot of that information is on both Android and iOS ask for permission to access the global address book so in that sense, if the corporate address book app is synced with a global device address book, even if it is in an outside sandbox, it still could be an issue. So, if there is a secure container or a secure app for contacts, we just have to make sure that it doesn’t sync with the global contact or the global calendar on the device.


Max, Concise Courses:
18:23 Do you regularly scan the latest version of each app? Does this just happen automatically, like if it gets more or less permissions in newer versions?

Domingo Guerra:
Absolutely, we treat every new version as a new and unique app because we don’t know what the developer might have added or changed within the app. Our system automatically detects that in two ways: [firstly], we crawl app stores all over the world, and secondly, and the faster method, is our large install base. So, we are already with multiple MDM’s, we have partnered withMobileIron and AirWatch for example. Whenever a new MobileIron or AirWatch managed device installs an app, it automatically syncs to the corporate app catalogue and that automatically pings our system so within minutes we are able to tell them that there is a new app version installed on that device and it triggers a scan automatically.


Max, Concise Courses:
19:19 What’s on your roadmap? What are some new things you are doing next?

Domingo Guerra:
We just launched in September 2013 an automatic policy builder to give a checklist of customers. We have a dropdown of about 45 to 50 behaviors and instead of just taking the Appthority score which is from zero to 100 (‘zero’ for malware and ‘100’ for a perfect app) we let our customers build their own score. The same app that might be safe for an engineering firm might not be the same as for a financial services firm. Therefore instead of giving all the apps the same score we now let our customers toggle the behavior that they care about. Maybe for me [for example] it is sharing the address book, accessing the microphone and taking pictures – maybe I work in an environment where I don’t allow that so now we filter those behaviors and affect that score.

On the road map we currently support iOS, Android and Blackberry. We are adding windows end of Q4 and then we are also integrating more with the top MDM players.


Max, Concise Courses:
20:18 Also, how do you think Samsung KNOX will affect the app risk market?

Domingo Guerra:
The Samsung KNOX is a great example of what you can do when you customize Android or fortify Android. They are trying to provide a ‘safe-for-enterprise’ Android version. I think it is going to be successful especially when you have the power of Samsung behind you and with their budget and a large global presence. They also have large agreements and partnerships with IT, so when IT is picking between corporate issued devices they now also have the option of picking a Samsung KNOX device.

The difficulty is for an environments where ‘corporate-assigned’ is not prevalent so when the corporation can’t purchase a large fleet of devices and employees start bringing their own devices; that is when a corporation would have to convince their users to purchase a KNOX device instead of purchasing whatever device they want, so that is the main difficulty surrounding BYOD.