High Risk Applications: what are they and how are they a danger to your business?

The global controversy of late that surrounds the TikTok app is a great example for IT professionals, employees and CEOs alike, to be able to familiarise themselves with the danger ‘high-risk’ applications can pose to them and their organisation’s critical business information.

When you hear the phrase ‘high-risk app’, there usually follows a vagueness in detail. How is an app high risk? Who is it targeting? What information are they after and why?

In short, a ‘high-risk’ app is defined as such by not having a clear answer to any of those questions, nor a transparent user policy as to what data is collected on the device, which third-parties will also have access and what their intent of use is for that data.

The physical security development and regular maintenance is also a key factor in assessing the risk of an app: if the app collects these large amounts of data and is not secure to external cyber breach, neither is that data. They open wide the doors for cyber criminals.

The overriding feature of an app that evaluates its risk level is dependent on how much data it seeks to collect on the user, and what permissions the user has given that app to access other applications, features or data on their mobile device. This could include the use of the camera function, location settings, even the device’s make, model and IMEI.

Founded in Beijing in 2016 by developers ByteDance, TikTok has been accused of affiliations with the Chinese government. India has been the first to ban the application in their country, with Australia, the US and the UK considering following in the same footsteps.

To date, approximately 2 billion people worldwide have downloaded the app, and it has around 1 billion active users. Yet it has been cited recently by IT experts that “none of the other popular social networking apps track their users to quite the extent that TikTok does,” and this is where the question mark over the security of user data raises its head. It’s perpetrated the rumour that copious amounts user data is being ‘harvested’ for the benefit of potential third-party authorities.

User device data that is collected includes; phone hardware information (like CPU type, memory use, hardware IDs and screen dimensions), other apps installed on the user’s device, network information (IP & MAC addresses and WiFi access point names), Jailbreak information (if relevant), GPS pinging, and local proxy server set-up with no authentication. The app also provides indirect access to a ‘Share to TikTok’ API, an SDK mobile integration that enables the user to add a button to applications and share their short videos with their online community.

And that’s only the data that users are typically unaware is being collected. Other, more personal demographical data, which users are required to opt in for, includes age, phone number, user-generated content posted, photos, videos, and even payment information. It really does beg the question: why does the app need to collect all this data on its users? And what other data on the user’s device is compromised?

In light of recent circumstances, many businesses have adopted a more flexible attitude to remote or home working. More employees than ever are now using their own mobile devices for dual work and personal purposes, with companies offering BYOD arrangements.

However, what many organisations are missing is the operational procedure of securing employee personal or business devices that are weak to external cyber threat. High-risk applications are just one of the ways BYODs are vulnerable, and TikTok is not the only app with questionable data collection practices.

For organisation’s already aware of the risks associated with applications, many have adopted blacklisting or whitelisting as a method to control which applications have permission to access device data. It has come to view recently that one of the most blacklisted applications on iOS devices by employers is WhatsApp – you can read why here. Others also include, Pokemon GO, WeChat and Facebook Messenger.

Ultimately, the risk applications pose to companies extends to incorporate the wider organisation’s policy on mobile device use (tablet, laptop or phone). Serbus is trusted by the UK government, MoD and world class brands to provide a fully-managed and integrated suite of mobile security tools built to ensure security and safety for teams working remotely.

To learn more about how Serbus can be of assistance in securing your workforce, get in touch today on [email protected], or call our office on +44 (0)1432 870 879.