You are here


Stale Mobile Apps Leave Backdoor Wide Open for Hackers

Posted by Vidhya Ranganathan

These days, every IT conference seems to offer a custom mobile app with a built-in conference agenda, a list of attendees, a map of the exhibit hall, and perhaps a dedicated messaging service. Conference attendees download these apps all the time and leave them on their tablets and smartphones.

Imagine Sara the product manager attends a big conference in Chicago, downloads the conference app, and returns to her office in Orlando. She mostly forgets about the app. It’s installed on the last screen of her phone, so it’s easy to overlook. Occasionally she opens the app to dig up information about a contact from the conference. One day, out of curiosity, about six months after the conference, she launches the app and visits some of its custom Web content.

And then it hits—a malware infection that hackers have embedded in the old, long-ignored pages of the conference Web site. Sara’s smartphone now harbors a key-logger, which hackers will use to gain access to her login credentials and more.

Sara has just fallen prey to the dangers of a dead app—an app that’s still installed on mobile devices but no longer available in app stores or supported by its creator.

Dead apps are not the only kind of old mobile apps that harbor risks. Stale apps—old, unpatched versions of apps that are still available in app stores—pose similar risks. A user running version 1.7 of a stale app might be missing critical security updates that were included in versions 2.0 and 2.1.

Both stale apps and dead apps can harbor vulnerabilities that hackers can exploit to implant malware. In fact, dead apps may have been pulled from app stores specifically because of their security vulnerabilities. Some may even have included malware themselves.

Why should enterprise IT organizations care about stale and dead apps? Because they’re dangerous, and they’re surprisingly common.

A recent study cited by TechTarget found that 5% of mobile apps in enterprises were stale. That’s a lot of possibly vulnerable apps installed on employee devices.

What can enterprises do to mitigate the security threat from stale and dead apps?

First, they can educate users about the risks of using stale and unmonitored apps. They can encourage users to delete unused apps and out-of-date apps such as conference apps from events long past.

Second, they can use a solution like kiteworks to establish a mobile app whitelist that ensures enterprise content is only accessed by approved apps. The whitelist allows only apps approved by the IT organization to access enterprise content on mobile devices and desktops. The whitelist ensures that users never use risky or infected apps to access content, which might then be uploaded to servers or shared across internal networks.

kiteworks makes content safely available to mobile workers, who can easily create, edit, and share files and folders, using safe mobile apps, not dead, stale, or infected ones.

Time to clean out your old, stale apps.