The recent SolarWinds supply-chain attacks demonstrate the need to focus on the entire IT landscape and underscore the risks posed throughout elements of the supply chain. All enterprises and federal agencies use commercial mobile apps and therefore are exposed to risks of mobile app supply-chain attacks, yet few are protected.
Mobile apps have become the new gateway to the enterprise and should concern executives, business leaders, and security, risk and compliance professionals. As a best practice, all organizations with users, customers and data should continuously monitor their mobile app supply chain for security, privacy and compliance risks.
The mobile app supply chain includes more than 6 million mobile apps publicly housed in Apple App Store™ and Google Play™ plus millions more custom mobile apps provided by vendors or built by outside consultants.
It’s clear that the mobile app supply chain presents a massive attack surface and risk to users, businesses and agencies alike. And the scope can be dramatic. For example, one of our customers has over 18,000 mobile user devices with 12,000 distinctly different mobile apps and versions. That’s 12,000 points of risk to the enterprise, many of which are updated monthly, weekly or even daily.
Examples of Mobile App Supply-Chain Incidents:
A growing community of attackers has learned how to exploit the myriad of vulnerabilities found in mobile apps and the mobile app supply chain. Using the MITRE ATT&CK framework for iOS and Android, mobile apps are used to attack the enterprise in three ways as shown in the graphic below:
From reconnaissance, discovery, data collection, deployment of exploits, penetration of backends, and lateral movement to exfiltrate enterprise data, mobile apps present as much or MORE risk than web and network attacks. And more often than not, the enterprise remains unaware and unprotected.
To mitigate risk, organizations should perform continuous vetting for mobile app security issues when mobile apps are first requested for use and for changes each time mobile apps are updated. Common risks and attacker exploits include:
Only continuous vetting of mobile apps enables organizations to block high-risk mobile apps from use to protect the enterprise from mobile app supply-chain attacks.
The NowSecure Supply Chain Risk Management solution enables organizations to inventory and triage the risks in their existing mobile app portfolio and then continuously monitor all mobile applications throughout the enterprise.
Learn more about how NowSecure helps protect the mobile app supply chain through the U.S. Department of Homeland Security (DHS) Mobile AppVet program in this upcoming webinar and read the U.S. Marshals Service in this case study.