Full Report
This report outlines the risks associated with the use of official and third party app stores.
Analysis Summary
# Best Practices: Secure Application Acquisition and Management
## Overview
These practices address the security risks inherent in the ecosystem of official and third-party application stores. They aim to mitigate threats such as malware distribution, data leakage through excessive permissions, fraudulent applications, and the vulnerabilities introduced by bypassing platform security controls (e.g., "sideloading").
## Key Recommendations
### Immediate Actions
1. **Enforce Official Stores Only:** Distribute a policy strictly prohibiting the installation of applications from third-party stores or unverified websites.
2. **Enable Automatic Updates:** Configure all managed devices to automatically download and install application and system updates to patch known vulnerabilities.
3. **Audit App Permissions:** Review "high-risk" permissions (location, microphone, contacts) for high-usage business apps and revoke those not essential for functionality.
### Short-term Improvements (1-3 months)
1. **Implement MDM/UEM:** Deploy Mobile Device Management (MDM) or Unified Endpoint Management (UEM) to gain visibility into installed applications across the fleet.
2. **Establish an "Approved App" List:** Create a curated list of vetted applications for business use and communicate this to employees.
3. **Disable Sideloading:** Use technical controls (via MDM or OS settings) to prevent the installation of apps from outside official stores (e.g., disabling "Unknown Sources" on Android).
### Long-term Strategy (3+ months)
1. **Managed Play/App Store:** Transition to a "Managed Play Store" (Android) or "Apple Business Manager" environment where users can only see and install IT-approved applications.
2. **App Reputation Scanning:** Integrate automated app vetting tools that analyze binaries for malicious behavior or privacy violations before approval.
3. **Zero Trust Integration:** Incorporate device health/app compliance into Zero Trust Access policies (e.g., deny access to corporate data if a device has a blacklisted app installed).
## Implementation Guidance
### For Small Organizations
- **Focus on Policy:** Set clear expectations with employees regarding app usage.
- **Native Tools:** Use built-in features like Google Safe Browsing and Apple’s "Find My" / Remote Wipe.
- **BYOD Guidance:** Provide a "Security Checklist" for employees using personal devices for work.
### For Medium Organizations
- **Standardize Devices:** Limit the variety of hardware/OS versions to make patching more predictable.
- **MDM Basics:** Use a cloud-based MDM to enforce screen locks, encryption, and basic app restrictions.
### For Large Enterprises
- **Containerization:** Use "Work Profiles" (Android Enterprise) or "Managed Open In" (iOS) to strictly separate corporate data from personal apps.
- **In-House Vetting:** Develop a formal process for security teams to vet internal or custom-built line-of-business apps.
## Configuration Examples
- **Android Enterprise:** Set `install_unknown_sources` to `disallow` in the device policy controller.
- **iOS/macOS:** Use the `allowAppInstallation` restriction key set to `false` if providing a completely locked-down kiosk-style device, or use `managedAppConfiguration` to pre-set security settings.
## Compliance Alignment
- **NIST SP 800-124:** Guidelines for Managing the Security of Mobile Devices in the Enterprise.
- **ISO/IEC 27001:** Controls related to mobile device policy and access control.
- **CIS Controls:** Control 02 (Inventory and Control of Software Assets) and Control 13 (Network Monitoring and Defense).
- **Cyber Essentials (UK):** Requirements for software updates and restricted administrative privileges.
## Common Pitfalls to Avoid
- **"Set and Forget" MDM:** Implementing MDM but never reviewing the reports for "out of compliance" devices.
- **Over-Permissioning:** Granting custom-built internal apps all permissions "just in case," creating a larger attack surface.
- **Ignoring Shadow IT:** Failing to provide official alternatives to popular third-party tools, which drives users back to unofficial stores.
## Resources
- **NCSC Device Security Guidance:** [https]://www.ncsc.gov.uk/collection/device-security-guidance
- **Android Enterprise Security White Paper:** [https]://www.android.com/enterprise/
- **Apple Platform Security Guide:** [https]://support.apple.com/guide/security/welcome/web
- **NCSC Cyber Essentials:** [https]://www.ncsc.gov.uk/cyberessentials/overview