If you have already installed mobile apps on your smartphone to go beyond the stock selection provided with the device, you may well have noticed how a mobile app asks for permission to access certain resources or take certain actions.
In some cases, this seems logical enough – for example, business apps that call a central database for the latest stock market figures.
But does it really make sense for a simple flashlight app to try to connect to remote servers?
IT departments on the lookout for security vulnerabilities and threats may spot anomalies and warn employees to avoid the apps concerned or to at least exercise caution. However, the real problem may be elsewhere.
Employees using their own mobile devices (smartphones and tablets) for business and personal use are often free to download any app that takes their fancy.
They may well prefer free apps to paying apps, especially if they must fund these other apps themselves.
Statistically, however, it seems that free apps ask for more device permissions that their paying counterparts.
Free apps make more requests to access device cameras and microphones, make phone calls, or send SMSs.
These actions can, respectively, expose a user and possibly the user’s enterprise to threats of espionage (recording audio-visual information) and data exfiltration (via text messages, for example).
Short of a total ban, it is not possible to prevent people from downloading free apps. Instead, they should be properly informed about what to look for in terms of dubious or suspect requests for permissions from mobile apps.
They should also be encouraged to bring any new or hitherto unapproved apps to the IT department for checks before installation.
The IT department in turn may allow the use of personal mobile devices for work with a suitable management framework, using an enterprise mobile management (EMM) application to keep tabs on apps appearing on employees’ devices.
Some free apps are viable, useful, and productive for work, but others may have to go onto a blacklist if their behaviour and requests for permissions are just too dubious.