MTD Myths Vs. Reality: What Leaders Need to Know About Mobile App Risk

Since the advent of the iPhone, security teams have longed for mobile endpoint security that rivals antivirus and antimalware capabilities for PCs. Although Mobile Threat Defense (MTD) has captured attention from regulated industries and government, it doesn’t provide the price/performance value to justify the investment. Mobile app vetting offers a stronger, cost-effective approach to managing mobile risk.

MTD solutions install agents on a mobile device and watch for unusual or malicious behavior at the device, user, or app level. They alert users and the IT security team to take action and may offer additional features depending on the vendor. By contrast, mobile app vetting solutions run in the cloud to assess mobile apps for security, privacy, and compliance issues by dynamically testing the binary on real iOS and Android mobile devices.

Examining MTD vs. mobile app vetting from the lens of risk helps guide strategic security investments. Are the highest frequency risks at the device, network, or app layer? NowSecure has tested tens of thousands of mobile apps in the Apple® App Store® and Google Play™ store across categories such as business productivity, travel, hospitality, retail, social media, news, weather, and the like, frequently finding a number of serious risk vectors. Based on our experience with clients, here is a sampling of some of the top six mobile risk vectors:

• 1. Many popular commercial mobile apps don’t properly validate hostname/certificate, opening risk of attacker redirecting traffic to a malicious endpoint enables attackers to phish users or harvest their credentials.
• 2. Many popular commercial mobile apps route data and traffic to foreign untrusted IP addresses.
• 3. Many popular commercial mobile apps broadcast a user’s country of origin location data, putting the user and device at risk in foreign lands.
• 4. Many popular commercial mobile apps transmit personal and/or business information over HTTP, which is easily interceptable over the air.
• 5. Malicious Wi-Fi hotspots in airports and other locations frequented by business and government employees that mimic official free Wi-Fi services with similar names.
• 6. Outdated Android devices running old, unpatched, vulnerable versions of the mobile OS with an exploitable vulnerability.

Real-World Mobile App Risks

While the PC world is full of malware and viruses, Android and iOS are inherently more secure by design with app sandboxing and other built-in protections. Practicing proper mobile device hygiene and controls, only installing apps from official app stores, automating updates and deploying mobile device management configured to security policies provides nearly all of the protection most users need at a substantially lower cost than deploying MTD. In addition to the cost of the pricey software, MTD requires organizations to install agents on every device and carries significant management and administrative burden. That price/performance value is questionable.

By comparison, mobile app vetting provides more in-depth coverage to mitigate risk. A typical enterprise with 10,000 mobile devices might have 12,000 unique different internal and third-party mobile apps and versions in their portfolio, creating some 12,000 points of risk. NowSecure analysis discovered that 85 percent of mobile apps fail one or more of the OWASP Mobile Top 10; 35 percent have unencrypted data transmission; and 50 percent of Android apps dynamically load code missed by static analysis. That means millions of risky mobile apps in the public domain are likely to be loaded on your users’ mobile devices.

Mobile app vetting that is centrally deployed and managed typically costs two times to five times less than MTD, plus eliminates the burden and complexity of managing MTD agents across all devices. As shown below, the mobile app vetting protects the organization from more frequently occurring risks of insecure mobile apps at a better price/performance.

Analysis of MTD Performance on Common Mobile Risk Vectors

Get a demo to assess the risk level of your third-party mobile apps before incorporating them into your mobile program.