Why You Need a Data-Driven Approach to Vulnerability Management

With most of us working from anywhere, smartphones and tablets have become a big part of how we stay productive. At the same time, the average cost of data breaches continues to rise, averaging $4.35 million in 2022. While there are numerous threat vectors organizations have to juggle, this got me thinking about how applications and device vulnerabilities are currently managed. 

One of the most important ways you can protect your organization is by making sure that your employees’ mobile apps and operating systems (OS) are up to date. Every time a new security patch or software update comes out, they often resolve a number of vulnerabilities that, if not managed properly, will introduce a significant amount of risk.

It’s not that security professionals aren’t aware of this, but the traditional tools make the task of updating OSs extremely complicated and prone to error. It also doesn’t help that third-party mobile apps add an additional layer of complexity that most companies have not been able to address.

Something you need to keep in mind is that there is a trend of app vulnerabilities leading to remote compromise of an entire mobile device. This means any organization needs to start treating vulnerabilities in apps as a device-wide threat.

OS vulnerabilities are hard to manage with your existing tools

Most security-conscious organizations use mobile device management (MDM) solutions for their mobile vulnerability management (MVM). Unlike Windows, MacOS, or Linux in the desktop world, there’s no one source that can tell you which mobile devices have outdated OS versions or security patches. 

Further, you need to conduct research for each individual device type and then manually set policies on an MDM, and these policies usually need to be revisited on a weekly basis. For example, you would need to know that iOS 15.6 covers over 35 security vulnerabilities, including some that could grant malicious access to the device.

When you account for Android devices, which have updates specific to the carrier for every device model and security patch compatibility that varies across brands, this becomes practically impossible. 

The consequences of configuring your policies incorrectly can have a huge impact on productivity, too. For example, if you require an Android OS version or security patch level that’s too recent, it might accidentally mark half your devices as out of compliance with no patches available to bring them back into compliance. 

Because of this complication, how you restrict the out-of-compliance devices should depend on the type of compliance violation. You have to strike the right balance between flexibility and security to maintain peace of mind.

App vulnerabilities can lead to device compromise

While many are aware of the risks created by running an out-of-date operating system, few understand the risks of having out-of-date apps on devices. Historically, app vulnerabilities were self-contained, meaning that an exploitation in a particular app stays within that app — like a malicious actor decrypting a message that’s supposed to be encrypted on a messaging app. 

But this is no longer the case. There are now countless types of apps that threat actors can leverage. For example, the latest version of the mobile banking trojan Sharkbot, is disguised as a cleaning app and an antivirus app, to steal user logins. The Adobe Acrobat vulnerability enables remote code executions, which means threat actors don’t need physical control of the device nor privileged access to gain additional administrative rights. This is similar to how a rooted or jailbroken device is at higher risk of infection with administrator privileges. 

Why mobile app vulnerability management is critical to protecting your organization 

Just like how you worry about browsers and apps staying up to date on laptops and desktops, the same thing applies to mobile devices. And keep in mind that these endpoints have as much access to your corporate data as the traditional endpoints. 

Unfortunately, most organizations aren’t doing anything regarding mobile app vulnerabilities, a problem that is even more complicated than OS vulnerabilities. 

There are dozens of apps to keep tabs on per device. To protect a device, you need to know what apps are on it, and which ones are vulnerable and require updating. It’s tough enough to keep track of updates on a single personal device, even with auto updates enabled — now imagine handling thousands of devices with added information exposure risk at stake.

Unvetted sideloaded apps

Another risk area for app vulnerabilities and associated risks are sideloaded apps, which are often unvetted and come from untrusted sources. While sideloading is prohibited on both iOS and Android, there are ways around it. This is why you need the ability to track them and restrict corporate access when necessary. 

Hidden risks from SDKs

Another major blind spot are software development kits (SDKs), which are prepackaged code that makes app development easier. The good news is that vulnerabilities are often assigned to specific SDKs or libraries. The bad news is that a popular library could be included in hundreds of apps, which means it's very difficult for any individual or organization to understand which apps have risky SDKs.

Cut through the complexity

OS exploits will come and go, but mobile vulnerability management is not going anywhere. As you plan to implement a mobile vulnerability management process, I urge you to remember that app vulnerabilities in third-party apps can lead to device compromise, but they aren’t the only risk factors. 

Attackers now often focus on kill chains and remote device access, which are often harder to track. With information being shared more openly within the community, we notice an increasing number of vulnerabilities found with reports of exploits in the wild. Having checks to avoid being an open target even before the attack happens is often the best strategy

At Lookout, we’re able to overcome the lack of information on OS and app updates because we collect telemetry data from nearly 215 million mobile devices and over 269 million applications used around the world. As a result, we are able to provide real-world data to our customers about the updates available for their devices and apps. This information is based on the most reliable source of data available — actual real-world evidence that an OS update, security patch, or app update is available for this device. This helps the organizations by providing a simple way to define device obsolescence for all of their mobile devices — whether they are company-provided devices or BYODs.

For those of you with smaller teams, we simplify things for your mobile apps management (MAM) or MDM policy enforcement. We’ll soon be rolling out a feature where all you have to do is pick the security patch levels you’re the most comfortable with and we’ll handle the policy updating. For the larger enterprises that have the resources to dig into the data, Lookout also gives you the tools to customize your policies further.

‍

‍

Examples of how the Lookout MES console helps with vulnerability management for an iOS device (top) and an Android device (bottom). We’re able to tell you whether a device is running the latest operating system or security patch available for it, and what vulnerabilities are unpatched. 

In the second image, you can see the device is running as current of an OS as the hardware can handle. When that’s the case, you should think about retiring the device.

To protect your organization, you have to identify the gaps in the tools you are currently using. With the complexity that comes with managing mobile vulnerabilities, you need to look for a data-driven approach. 

Lookout has experts who have already created policy templates that can help most organizations handle their vulnerability management needs. We also have a platform that provides the data larger organizations would want to fine tune their policies. 

Visit our MVM product page to learn more about how Lookout can support your vulnerability management needs. To learn more about our security platform, including vulnerability management, check out our platform page.