Mobile security: Enterprise data via mobile is the next frontier for cyber criminals

By Domingo Guerra

A person tries to a avoid a mobile security breach of their enterprise data

Bigstock


2018 will be the year cyber criminals focus on enterprise mobile security weak spots, exploiting them to harvest sensitive information. All organizations face new security challenges as their workers increasingly go mobile and use a rapidly expanding number of apps. With employees accessing more valuable corporate information on mobile devices and storing more sensitive data on them, criminals see apps and their weak cloud back ends as an easy way in.

Mobile security vulnerabilities are a huge target for hackers

Hackers aren’t just going in the front door via malware and man-in-the-middle attacks. They now are also sneaking in through the back door, taking advantage of vulnerabilities in legitimate apps that can expose sensitive corporate data. In fact, these legitimate apps are collecting massive amounts of corporate data and, in some cases, inadvertently leaking that data to hackers who know where to look for it.

Most apps today gather specific data about the user that isn’t necessary for the app’s use, such as the user’s physical location, calendar entries, and even access to cloud storage accounts. This data is often shared with third parties, and even leaked through poor encryption and developer practices. Hackers understand that mobile apps are their new frontier. That’s why the next major attack likely to make headlines will almost certainly be a mobile breach.

App vulnerabilities are on the rise

A recently discovered vulnerability, dubbed HospitalGown, highlights the risk that looms when mobile apps send enterprise data to unsecured back-end databases. Because of HospitalGown, hundreds of enterprise apps are leaking over 43 terabytes of data, all due to simple human error: failure to secure back-end data stores.

Some of this data already has been accessed and ransomed. Another vulnerability, called Eavesdropper, puts millions of pieces of sensitive call and text message data at risk because developers hardcoded the administrative credentials to their cloud accounts into the apps they built. They then used these same credentials to build other apps and store other data, putting all of it at risk for any criminal willing to put in the trivial effort to locate these credentials in the app code.

Enterprise data is up for grabs

To date, the primary attack vector for enterprise breaches has been compromised user credentials and web apps, but 2018 is the year that will change. Hackers know enterprise data easily can be taken from leaky mobile apps; it’s time for the rest of the world to catch up to them.

Uber’s recent security woes are a prime example of the need for vigilance. Nearly 60 million Uber users and drivers had their data stolen by hackers because it was stored in an Amazon Web Services server. Hackers found the login credentials for the server and took what they wanted. Breaches like these are why forward-thinking organizations are making mobile app defense an integral part of their overall security strategy — before they become the next headline themselves.