Business of Well-being

Insecure Mobile Apps: What Is Really Happening with Your Health and Wellness Data

With the rise of the BYOD (bring your own device) workplace and companies playing an increasingly active role in the health and wellness of its employees, utilizing mobile apps to encourage employees to track fitness, exercise and weight loss progress can be a great idea.

But companies need to be aware about the potential for leaking employees' private information and even sensitive corporate due to unsecured mobile apps. Let's talk about what makes mobile unique from a security standpoint. Firstly, mobile offers a broad attack surface, combining the attack surfaces of Web and native client applications in a small, easy-to-steal form factor.

And while traditional computers (laptops, desktops and servers) include a mechanism to allow administrators full access to the device, whether for installing updates or deploying new software, on mobile devices, administrators have no standard, authorized method for gaining device privilege.

This gives them less control and visibility about what these devices are doing and how they may be interacting with an organization's network. And indeed, unlike most laptop or desktop computers, mobile devices interact with a number of networks on a daily basis -- most of them outside a company's firewall.

Typically, users have no way to tell whether their connection is secure or the information they send is encrypted. Unsecured Wi-Fi connections can expose users to many sophisticated attacks where sensitive data can be lost.

But the greatest threat to security comes in the form of 'leaky' apps -- outwardly benign applications with security flaws that can put your data at risk.And guess what? Chances are, your employees have leaky apps on their devices.

Leaky Mobile Apps

We recently examined 100 popular apps in a variety of categories, testing them for man-in-the-middle and SSL attack vulnerabilities, whether they stored passwords and other sensitive data in their memory, and other common security concerns.

Our study found that 60% of apps received a "High" risk rating in one or more categories. None of these were apps anyone would normally perceive as 'risky'- usually, when presented with our findings, even their creators were unaware of the risks their apps posed.

Figure 1: Breakdown of vulnerabilities in tested apps

Apps are a booming business and in the rush to market, security testing often takes a backseat. With consumers unaware of the security issues any app might present - and with no watchdog body to help make them more aware - mobile app developers are under no real pressure to ensure their products are secure before release.

That's why there are so many leaky apps, and there's no reason to believe they are going to be more secure anytime soon. Leaky apps can be a gateway to your employees' protected health information, your institution's financial data, and other sensitive materials. In traditional workplace networks you can prevent employees from installing software without permission.

But in a BYOD environment, you often have little control over what apps employees download on their personal devices. It's key to remember that whatever your employees can access from their tablet or smartphone are also potentially accessible to attackers.

Ignoring the threat leaky apps represent means being in exposing yourself to loss of data, loss of customer trust, and in the end, loss of revenue. Before you encourage your customers to download and use a mobile app, you want to make sure it is secure. But how? There is no app security rating body, no agreed upon industry security standards, and information about an app's vulnerabilities can be hard to come by.

Even if you develop your own custom fitness app or use a white label app that has undergone rigorous security testing, the scary thing about mobile is that your data may still only be as safe as the weakest app on one of your employees' devices. All it takes is one unsecured Angry Birds knock-off to put your entire enterprise at risk.

Here's how it can happen - let's say as part of a corporate wellness directive, your employee installs an mobile app called "Count My Sit-Ups" to help them, well, count their sit-ups. This app is reasonably secure (a rarity), but requires an email address as part of registration.

However, the Angry Birds knock-off they downloaded has some security problems, and attackers are able to use it to penetrate your employee's device. From there, they access "Count My Sit-Ups" and find your employee's email info.

Using a password the device found stored on another app, the attacker is then able to access your employee's corporate email account. This scenario assumes that your employee uses the same password for a number of different mobile apps/functions/registrations - but in reality, that's exactly what people do, and attackers know this.

So What Can I Do?

Heavy-handed, one-sided security measures don't work for mobile. Due to the immense amount of private information we store on our phones (let's face it, our phones usually know us better than our spouses), employees are highly resistant to the kind of large-scale management and monitoring that would be needed to truly control how your employees use their devices at work.

The good news is that there are steps you can take to protect yourselves, your employees, and your business by proactively assuming a defensive posture. This means building security from the ground up by turning your employees from potential security risks to your first line of defense -- educating them on how to transform a bring-your-own-device environment into a bring-your-own-security workplace.

People need to know what their apps are really doing. How are they storing information? What organizations are they communicating with? Is the data being they send being encrypted? They must also learn to follow basic mobile security procedures, such as implementing passcodes, and being wary of using unsecured Wi-Fi hotspots.

The right wellness app can increase employee participation and help your company meet its fitness goals, and maintaining a workplace where your employees feel comfortable using their personal devices is increasingly just part of doing business in the 21st century. Just be sure that you are aware of the security risks involved, and make sure you and your employees are taking concrete steps to mitigate them.

About the Author

The CEO and Co-founder of viaForensics ( Andrew Hoog is a computer scientist and mobile forensics researcher. He has two patents pending, and is the author of two books on mobile forensics and security.

Learn about how you can become a Certified Corporate Wellness Specialist→