Survey: What does the future of cloud security look like?

July 17, 2014 by

Click Here

We’ve been thinking a lot about the future of cloud security lately. As workforces become more mobile, and work becomes anytime/any place/anywhere, companies have to think differently about securing their data and systems.

We want to get your feedback as we build the next-generation cloud security. Help shape our future product direction by sharing your thoughts in our two minute survey.

Stay tuned, we’ll share the results here on our blog!




[Webinar] “Beyond Permissions: The Truth Behind Mobile Application Risk ”

June 23, 2014 by

App Rep_webinar btns V3

Permission by proxy. That sounds pretty scary right?  It happens to any of us who use apps on our mobile devices, from official or unofficial sources. Simply by using an app, we grant permission to that app to access various areas of our mobile devices. Sometimes, those permissions are extended to data sharing with other applications via app-installed libraries.

Do you want to learn more about the hidden risks in your mobile apps? Join us on Wednesday, June 25 at 11:00 AM for our webinar, “Beyond Permissions: The Truth Behind Mobile Application Risk.”

Our presenter, product marketing manager Samer Baroudi, will discuss the hidden risks of your mobile apps and how to gain visibility into the apps installed on your organization’s corporate-owned and BYOD devices.

In this webinar you’ll learn:

  • Why app store apps have hidden risks
  • How to add visibility into the apps on your mobile devices
  • What data is collected by your apps and how it is shared

Webinar Details

Topic: Beyond Permissions: The Truth Behind Mobile Application Risk
DateJune 25
Time11:00 AM PST
RegisterSign up to attend

Register Now

 

Two Factor Authentication, Data Usage Alerts, and More!

June 17, 2014 by

We wanted to take a quick break from all of our hard work and give a quick update on some important new features.

Two Factor Authentication

In the wake of recent vulnerabilities like Heartbleed, we felt it was necessary to give our users additional security around their login credentials.  That’s why we recently implement two factor authentication which can now be enabled for any account by simply going to Settings -> Personal.

We chose the open TOTP standard as the underlying authentication method and made it simple enough to use that anyone can have it enabled for their account within a few minutes.

Mojave two factor auth

 

Data Usage Alerts

Another feature that customers have often requested is to receive alerts when users are approaching a certain amount of data usage.  This is ideal for companies that pay for data plans and want to ensure they remain within certain usage parameters to avoid expensive overage charges.

To enable, simply go to the Network settings within a policy and set the threshold of when you want to be alerted.  It’s as simple as that.

Data Usage Alert

 

Samsung Safe

Mojave now integrates with Samsung Safe allowing more granular controls of Safe devices including preventing factory reset, booting into safe mode, and better email configuration.

All of these features are immediately available so feel free to use them and keep providing your suggestions so we can keep improving the Mojave experience.

[Video] All About Mojave Networks in 90 seconds

June 11, 2014 by

Do you want to understand how to add control, visibility, and security to the mobile devices connected to your network? Check out our short video to find out how to secure your devices with our cloud-bases network security.

New Application Reputation Offering

June 6, 2014 by

This week, we unveiled a new application reputation feature to provide enterprises with detailed insight into the applications that are run on employee mobile devices. With this new feature, companies can analyze the data being collected, stored or transmitted from mobile applications, enabling them to discover the potential risk of applications and make informed policies to prevent compromises or data loss. See the press release for more details.

Ryan W. Smith, our lead threat engineer, explained the problem to Tim Wilson at Dark Reading: “When we first come into a customer site, most of them have no idea what apps their users have installed on their devices, or what their risk exposure might be. They are accepting a level of risk on their mobile devices that they would never accept on PCs.”

In SecurityWeek, Ryan was quoted as saying: “Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools.”

From Network World: “Unfortunately, when you give permission to an app to access your private or sensitive data, you’re also giving access to each of the included libraries and their author(s), whether you know it or not. This is like entrusting your house keys to your teenage child for the weekend, only to have them immediately make copies for their friends, unbeknownst to you.”

As you can see in the graph below, the majority to apps contain third-party ad libraries. In fact, at least 78% of all applications downloaded by business users connect to either an ad network, social media API, or analytics API – putting their personal information and their company’s sensitive data at risk. More details about how mobile ad libraries create risks for enterprise data are available in Ryan’s blog post.

graphZoom2blog

Other news:

  • Mojave Networks Unveils New Application Reputation Offering, InfoSecurity Buzz
  • Mobile apps siphon off reams of data through excessive permissions, FierceMobileIT
  • Mobile Apps Leak Personal Information, Study Finds, SiliconBeat
  • Mojave Networks Application Reputation Feature Aims at BYOD, eWeek

Mobile Ad Libraries Create Major Risk for Enterprise Data

June 2, 2014 by

Every day at Mojave Threat Labs, our research team analyzes thousands of mobile apps using more than 200 individual risk factors. One of the key risk factors that we track is private data or personally identifiable information (PII) that is collected and sent to remote web APIs. This may include the user’s name, phone number, email address, location, applications they have installed, phone call history, contact list, and much more. On average, corporate employees and mobile users have around 200 applications on their mobile devices, including all of the pre-installed apps like the address book and camera. Each application has an average of nine permissions that users agree to before using the app – things like permission to access your address book or your location in order to tell you about what’s nearby. With so many applications requesting access to private or sensitive information, it’s often difficult for users, let alone IT administrators, to fully understand who’s accessing their data, where it’s being sent, and how it will be used.

 

Why You Shouldn’t Blindly Trust Mobile Advertising Libraries

Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools. These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review. Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users it’s impossible to know which ad library is included in a particular app.

Unfortunately, when you give permission to an app to access your private or sensitive data, you’re also giving access to each of the included libraries and their author(s), whether you know it or not. This is like entrusting your house keys to your teenage child for the weekend, only to have them immediately make copies for their friends, unbeknownst to you. This indirection and lack of transparency leads to a lack of accountability for the apps’ included subcomponents and precludes IT administrators from making adequately informed risk decisions.

To show the prevalence of such third party libraries, Mojave Threat Labs analyzed more than 11 million URLs that our customers’ installed apps have connected to. We then further broke the URLs into categories based on whether they connected to ad networks, social media, and analytics APIs. When we analyzed all of the apps downloaded by our customers, we found that:

  • Business users connect to at least as many data gathering libraries as consumer users, and in some cases more, leaving enterprises at risk for sensitive data loss;
  • Some of the top ad libraries such as AdMob, AirPush and Flurry leak private information such as which mobile apps you have downloaded onto your phone, precise geo-location data including your zip code, your device ID number, web browsing history and more;
  • 65% of applications downloaded by business users connect to an ad network;
  • 40% of applications downloaded by business users connect to a social network API;
  • At least 78% of all applications downloaded by business users connect to either an ad network, social media API, or analytics API.

Not surprisingly, the top domains in both categories belong to the top ad libraries (AdMob, Airpush, Flurry, MillenialMedia) as well as social media (Facebook, Twitter, LinkedIn, Google+). Not far behind in the top 50 are data sharing APIs like DropBox.

graphZoom2blog

A graph of the connections made by mobile apps, gravitating towards the most highly connected domains in the center ( Click to view full size )

For example of the types of data collected by these libraries, we examined one of the top URLs in our database, Airpush. The type of data exposed included:

  • Android ID
  • Advertiser ID
  • Device make and model
  • Mobile web browser type and version
  • IP address
  • Airpush-generated ID
  • Application name
  • A list of mobile applications installed on your device (opt out option)
  • “other technical data about your device”

In accordance with your permission, Airpush may also collect:

  • precise geo-location
  • browser history (opt out option)
  • country
  • zip code
  • device IDs (including IMEI, device serial number and MAC address)
  • encrypted values of your email address (opt out option)

The bottom line is that you may trust the author of a particular app, but you may not even know the authors of the components (libraries) which are gathering the most information about you. In almost all cases, a user is bound by the library’s data policies simply by downloading and installing an app which includes it, without ever getting a chance to review the policy details.

 

Enterprise Risk vs. Consumer Risk: Enterprises Beware

Although it wasn’t a surprise that most applications connect to an ad network, it is notable that the breakdown between apps installed by business users and apps installed by individual (consumer) users were nearly the same. Some other interesting findings include:

  • Apps installed by business users were at least 10% more likely to connect to social media APIs.
  • Apps installed by business users (vs. consumers) were just as likely to include libraries which exposed them to PII, personal or corporate data loss risk.

The table below compares the top URLs from applications on business user devices (right) and consumer devices (left). The table shows that there’s not a huge distinction between business users and consumer users when it comes to the top ad libraries, social medial libraries and other libraries which affect data privacy – enterprises aren’t as safe as they may think. percent_of_apps_connecting_to_domain It is critically important that users and IT Administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps.  Gone are the days when we can simply say “I trust this app with these permissions and data”.  With the number of third-party libraries coming along for the ride we must now ask “for whom is the data, where will it be sent, how will it be used, and how will it be handled.”

Watch last week’s webinar, “A Three-Pronged Approach to Mobile Security”

May 30, 2014 by

Did you miss our webinar last week, with Forrester Research’s Tyler Shields, discussing how to best understand mobile risk and mitigate it?  You can now watch the recording, or download the slides.

You can also check out some of the questions we discussed during the webinar.

Stay tuned – we had too many questions, and will answer these later on our blog.


Webinar Details

Topic: Three-Pronged Approach to Mobile Security

 

 

#3ProngSecurity: Q3 – What combination of technologies can help me meet my business goals?

May 20, 2014 by

We posted questions one and two for our upcoming webinar, and here is the third installment: what combination of technologies can help me meet my business goals? Q&A orange These days, mobility managers have a range of solutions to consider to manage and protect mobile devices: mobile device management (MDM), enterprise mobility management, app reputation solutions, containerization, and firewalls.  It seems like there is a new solution available every month! We’ll talk about how to build a unified approach for your mobile security in our webinar on May 21. If you have questions to ask during the webinar, post them in the comments here, or tweet with the hashtag #3ProngSecurity. Here are a few other resources to help you sort out all of the options:


Webinar Details

Topic: Three-Pronged Approach to Mobile Security
DateMay 21
Time11 AM PST
RegisterSign up to attend

Webinar this Wednesday with Tyler Shields – register now

May 19, 2014 by

Just a reminder…this Wednesday we’re hosting a webinar with Tyler Shields of Forrester Research about a three-pronged approach to mobile security.

“This webinar will cover many of the major challenges that IT and security departments are faced with today when attempting to deploy a unified mobile security strategy,” said Garrett Larsson, our CEO. “The information our Threat Lab researchers have gathered, along with Tyler’s research at Forrester, will provide useful, actionable information for our attendees on how to harden their defenses against the inevitable rise of mobile threats.”

If you have questions for Garrett or Tyler, post them in the comments here, or tweet with the hashtag #3ProngSecurity.

3pronghashtag

Webinar Details:

Date: Wednesday, May 21st

Time: 11:00 AM PT

Presenters:

Register now.

 

#3ProngSecurity: Q2 – What level of security do I need to offset my mobile risk?

May 16, 2014 by

We posted the first question earlier this week for our upcoming webinar, and here is our second: what level of security do I need to offset my mobile risk?

3pronghashtag

Every organization is a little different. In order to determine what your mobile risks are, first look at how your employees are using their mobile devices. What are their roles? What information can they access? And what is your current mobility policy?

Once you have looked at you mobile landscape, you’ll want to create a role-based policy that incorporates the key use cases for each user type.

For example, since sales people and support people have access to customer data, you’ll want to set policies for data removal, storage and access to ensure the data doesn’t get sent to personal accounts or stored in a public cloud. For contractors, you may want to limit device usage to work apps only. For other employees, you may only need to lock or wipe a device if it’s is lost.

Here are a few helpful resources:

If you want to learn more about determining the appropriate security level for your organization, attend our webinar on May 21: A Three Pronged Approach to Mobile Security. Let us know your questions – post to Twitter with the hashtag #3ProngSecurity or leave a comment on this post.


Webinar Details

Topic: Three-Pronged Approach to Mobile Security
DateMay 21
Time11 AM PST
RegisterSign up to attend

 


Follow

Get every new post delivered to your Inbox.

Join 887 other followers