Appthority Flags Bad Apps, Recruits Employees As Cyber Defenders

Employers shifting their operations to mobile computing have opened the door to BYOD—telling employees it’s OK to Bring Your Own Device and use it for work tasks. Employees have extended that to BYOA–Bring Your Own Apps, says San Francisco security company Appthority in its latest mobile threat report. Workers, just like consumers, download apps without ploughing through the accompanying disclosures. Many apps are now designed to raid the personal data of employees—a goldmine for bad actors who use “spear phishing” tactics as the first step in major attacks on corporations. And many contain malware.

When it comes to information security, a company’s employees may sometimes be seen as risk vectors rather than assets to protect. Although few may intentionally become insider threats, helping hackers break into networks, employees can unwittingly puncture company defenses by actions as innocent as downloading an exercise app to an iPad.

Companies are now bristling with safeguards supplied by cybersecurity companies that monitor the digital activity of employees as they interact with company data and communication channels from their app-laden smartphones and tablets, as well as from business computers. But in addition to that wary surveillance, there are moves now to enlist company staffers as fellow guardians of workplace data security.

One example is a set of mobile apps for employees of Appthority’s business clients. Appthority scans the mobile devices of staffers, and its apps tell them which of their installed apps are dangerous, which are frowned on by their employer, and which are approved by the company IT department. Appthority then sends automated prompts to spur the employee to get rid of the problematic apps, and warnings that the device could be bumped off the company network if they don’t.

Appthority, which says it has evaluated the risks of three million apps, also serves as a sort of consultant on the fly for employees when they’re considering the use of a new app. Using Appthority’s mobile tool, workers can get a risk assessment on the new app without having to download it.

Domingo Guerra, co-founder and president of Appthority, says business clients have been asking for ways to educate employees about cyber risks and empower them to help defend against data breaches.

“We’re seeing that employee education is increasingly a differentiator” among cybersecurity companies, Guerra (pictured above) says. “That’s why we launched the app.”

Appthority rolled out its first employee app in April 2015 for iOS, the mobile operating system it found most heavily used by businesses. At the urging of employers, Guerra says, the company recently released a similar app for Android devices.

The mobile apps work together with the core business services offered by Appthority, which was founded in 2011 by Guerra, Kevin Watkins, and Anthony Bettini to help companies and government agencies manage the risks associated with mobile apps. Appthority’s customers can create customized lists of banned and approved apps—-and even tailor those lists for specific job titles, Guerra says.

Appthority is used in combination with the mobile security shields of companies such as Mountain View, CA-based MobileIron and AirWatch, an Atlanta, GA, unit of Palo Alto, CA-based cloud computing infrastructure company VMWare. MobileIron and AirWatch manage the risks associated with mobile devices themselves, by automating the registration of employee-used devices, setting up their access to company WiFi and VPN accounts, monitoring passwords, and keeping unauthorized devices from logging in, among other measures. Boston-based mobile app management company Apperian offers similar services, as well as app stores—customized for business clients—that staffers can browse.

Appthority aims to make security measures scaleable through automated risk-scoring of specific apps and employee devices, as well as alerts and corrective measures.

The company, which has 35 employees, has raised a total of $16.25 million from investors including U.S. Venture Partners, Venrock, Blue Coat Systems, and Knollwood Investment Advisory. Appthority doesn’t disclose its revenues.

Over the five-year period since Appthority’s founding, business attitudes toward mobile use and its restrictions have gone back and forth, Guerra says. IT departments had previously presided over in-house desktops and laptops equipped with programs they had vetted themselves. In the early mobile era, however, they were losing visibility over the apps in use, who had made them, and how they would behave, he says.

“The first approach was to try to be very restrictive,” Guerra says. Employees were issued company-owned devices pre-loaded with approved apps, and barred from using their personal devices.

But as the populace rapidly acquired mobile devices, the relationship between company IT departments and employees suffered some strains. Staffers pressed for permission to use their personal smartphones and tablets on company projects, and to download new apps to make their work more efficient. But that brought headaches for IT personnel, who couldn’t be sure that all those devices and apps were free of malware and other openings for corporate data leaks. Manually reviewing each requested app was very time-consuming, Guerra says.

“Some IT departments threw up their hands and gave up,” Guerra says of the period between the end of 2013 and early 2014. This led to a proliferation of app use. Other IT leaders took the stance, “If we can’t evaluate it, you can’t use it,’ Guerra says.

Since then, security shields such as MobileIron’s mobile device management system have made IT leaders more comfortable with the use of personal devices as workplace tools, Guerra says.

Appthority concentrates on risk-scoring the evolving ecosystem of apps, which may not only contain malware but can also include invasive functions that aren’t necessarily illegal. Consumers often grant app makers permission to use these functions when they agree to the long and wordy terms and conditions of a download.

Such apps can strip data from calendars, address books, photos, password lists, and other files on a smartphone or tablet, Guerra says. This personal data presents a security risk to employers, not only by revealing insider company information such as meeting details, but also because it can be used to fool a worker into taking actions that breach a company network. For example, a hacker can send a fake message in the name of a known colleague and induce the target worker to click on a malicious link. That’s the hacker’s opening  gambit called “spear phishing.”

Guerra says these threats are arising in part from changes in the financial prospects for app developers. In earlier business models, an app maker would offer a free version with the aim of amassing big user numbers, which would then pay off when the app startup was acquired by a larger company. In the current era crowded with mobile offerings, Guerra says, app developers frequently try to earn money from their apps by raiding the data of users and selling it to advertisers or other third parties.

“The new app economy is almost based on user surveillance,” Guerra says.

A seemingly simple app that turns a smartphone into a flashlight can also be designed to rummage through the phone’s files, geolocation information, and other data, he says.

For the time being, Appthority’s risk-detection apps are only offered to employees of Appthority’s business customers. But the company is working on plans that may make the apps available to consumers.

As Appthority scans employee devices for signs of app-related risks, it picks up a sense of the practices and trust levels of these users. For one thing, the company deduced that staffers are letting their kids play with the same devices they use to do their work, Guerra says.

“In virtually every corporation, we see children’s apps all the time—-even on corporate-owned devices,” Guerra says. “That’s a new risk.”

People are less guarded when they download children’s apps than they are with apps aimed at the adult market, Guerra says. This opens the door to a serious risk—that users will download apps that aren’t what they seem. Appthority identified a fake Disney app offered on the Google Play store—complete with Disney characters, but bearing adult content.

While employees might have trouble relating to company messages about firewalls and network security, Guerra says, they’re starting to get interested in cybersecurity as news coverage increases about issues such as Apple’s court fight with the FBI to preserve the encryption on iPhones.

“Security is becoming personal,” Guerra says. Employees are now using Appthority’s apps to evaluate apps their kids could be exposed to, he says.

Yet employees now use an average of 80 to 100 apps, and few consumers will read through all the terms and conditions before they download a new one. As yet, there aren’t many publicly available tools to make it easy for consumers to learn which apps to avoid, Guerra says. He says he still sees an industry gap in employee education and risk self-management tools. That could be changing, he says.

“I think there’s more of a sense that teamwork is required” for company cybersecurity, Guerra says. “It’s not going to be just IT folks in their labs creating a solution for the whole company.”

Trending on Xconomy