Mac and iOS apps stealing user data, an enterprise take

Credit to Author: Jonny Evans| Date: Mon, 10 Sep 2018 04:53:00 -0700

Reports claiming numerous apps distributed through Apple’s App Store are secretly exfiltrating user data should be an alarm call to enterprise CIOs. It signals a new battlefront in the eternal enterprise security wars.

On the surface, the data being extracted is kind of… personal: Location, browser histories, information like this provides additional insight into what individual users are up to. Why should that concern an enterprise?

That’s a rhetorical question, of course. Most enterprise security professionals recognize that any form of data exfiltration poses an overall challenge.

The security environment is becoming increasingly complex, criminals are getting better at combining data from multiple sources to identify targets, identify individuals and turn this knowledge into cold hard cash.

We also know that as Apple makes its platforms more secure, criminals who still choose to target the platform are becoming much more sophisticated.

They will even pay $15 for Apple ID data and there is a huge market in preconstructed phishing and hacking tools online. A Malwarebytes survey earlier this year claimed malware attacks on Macs climbed 270 percent in 2017.

Wickie Fung of Palo Alto Networks has warned: “Enterprises must insist on complete pervasive security visibility in their environment including users, applications, data and threats.”

Staff must be educated about the risk of installing unapproved apps.

Enterprises must put procedures and protocols in place to protect against installation of data exfiltrating apps — in doing so they must also recognise that third party apps that do things more efficiently than those they themselves provide will be used, and should subject these to swift security analysis. 

It is also important to check if existing threat intelligence systems are capable of identifying instances in which rogue apps are covertly stealing data.

The recently-identified apps tend to parcel up the data they take to upload to remote servers – threat intelligence systems must recognize such transactions.

Phishing attacks are much more effective if they are precisely targeted according to user habits – and users are still the weakest link in the security chain.

Criminals understand (as did Cambridge Analytica) that the value of data extracted from multiple data stacks far outweighs that held inside any single stack. Analytics systems enable such data to be identified and weaponized.

There’s money in these practises, and the potential to find information that helps infiltrate otherwise robust computing systems, as a recent College of Behavioral & Social Sciences cybercrime study found.

Information concerning a target’s browsing habits can become a malware-infested message designed and personalized to that user to deliver a higher chance of success in infecting the end user’s machine to place an exploit that becomes critical to undermining enterprise security.

While it seems way too convenient that these revelations concerning a security flaw in the App Store model emerge just as Apple prepares to announce new mobile devices, it seems unwise to dismiss them.

It is also apparent that while the news tarnishes Apple’s security model, it’s inevitable other platforms will also be experiencing covert data grabbing through otherwise innocuous apps.

Any responsible platform developer should already be taking robust steps to protect against this, including insistence that apps maintain strict (and transparent) data protection policy, as Apple now demands.

This stuff matters. All the apps recently identified as rogue by Malwarebytes, Sudo Security and security researcher, Patrick Wardle, would (I think) have been breaking the new data privacy rules Apple now insists developers follow.

Not only this, but developers of those apps would have been required to take much more responsibility for any data they chose to exfiltrate, under Apple’s new rules.

Taking such information without securing a user’s express consent is absolutely forbidden.

Apple CEO, Tim Cook has often stressed the position that “Privacy to us is a human right, a civil liberty.”

These days we should all recognise that the price of protecting such rights is eternal vigilance. 

The apps engaged in these practises should be seen as honey traps:

Adware Doctor, for example, promises something users want — to eradicate unwanted advertising online, but fails to inform them that it will grab browser histories to covertly send to unknown servers based in China.

The fact that the app was one of the top apps distributed at the App Store adds another layer of risk. We’ve all learned that apps distributed through the store tend to be trustworthy. Apple must now apply much more strict security checks for any apps listed in the top 100 apps in any country at any store in future.

However, enterprise security chiefs must also educate users of this new emerging App Store risk and advise against installation of any relatively obscure app on any enterprise device on any platform, unless chosen from an approved list.

I mentioned gray IT: users will use third party solutions if they are better or easier to use than enterprise-provided apps. This means that enterprise security team must assess and verify the security of popular third-party apps used on their networks, as those apps will be used no matter how many memos are published. Best practise advice will be a far more effective response than top-down admonition against using such apps.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss