While it may sound surprising, many mobile apps leak user data to anybody ready to receive it. While some free apps rely on being able to harvest and resell such user data, other paying apps, some of them from highly reputable brands, are simply careless about the user IDs, passwords, user profile information, and other information they ask for via mobile permissions. And even consumer user IDs and passwords can move hackers a step along to getting into business systems. Here’s why.
The danger of leaky mobile apps may be indirect, but it is still very real.
By learning about a user (name, nickname, preferences, circles of friends, etc.), hackers can become well-informed enough to send out bogus email messages to others who know the user.
Spear-phishing tactics allow hackers to target specific victims, tricking them into giving the hackers other confidential login information or into downloading malware, including ransomware.
Given the correlation between the people downloading mobile apps and the people who have business acquaintances, there’s a chance that cybercriminals will be able to target bigger prizes than the mobile owner’s post office savings account.
Prevention being better than cure, the first step is to educate users to regard mobile apps (including those available from Google Play and Apple’s App Store) with a measure of distrust.
Permissions requested by mobile apps for installation should only be given grudgingly, if at all.
However, many people are so free and easy with their mobile permissions that this measure may not be effective.
The next step is to educate users in a company to be suspicious of all emails, to refrain from clicking on links in emails, and to alert the IT department if unexpected messages or incidents arrive.
Blocking the use of certain mobile apps on company mobile devices is a further option, although this may have to be in the form of a whitelist (“use only these apps”), rather than a blacklist (“don’t use these apps”).