Mobile Threat Catalogue

Insecure Internally-developed App Installation

Contribute

Threat Category: Enterprise Mobility

ID: EMM-10

Threat Description: Enterprises may install insecure internally developed enterprise applications onto enrolled devices via mobile application management (MAM) policy.

Threat Origin

Mobile Top Ten 2016 1

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

Prior to deployment, ensure internally developed apps are evaluated with rigor, such as by using app-vetting services to establish confidence they present minimal risk to the enterprise and device users.

Consider the use of container solutions, such as Android for Work, that can prevent launching of managed apps when the device user is not authenticated to the work-centric container, thus minimizing the risk those apps present to the user outside of a work context.

Mobile Device User

For device users with concerns about the security implications of a mandatory enterprise app during personal use of the device, restrict its permissions or if possible, temporarily disable it when operating the device in a personal context.

References

  1. Mobile Top 10 2016, Mar. 2016; www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 [accessed 8/23/2016]