Meeting Round-up
The importance of mobile application
security for legal firms
09 October 2019
Mobile application security in the legal sector
At the Alternative Legal IT Conference 2019, Appurity hosted a stand to raise awareness of mobile application security in the legal sector. Our team was joined by Lookout experts Burak Agka and Joe Rich. In this extended blog, we share their unrivalled knowledge.
How did Lookout come about?
Lookout is an iOS and Android security company that’s been around for a decade. Their technology provides intelligence around iOS and Android and the applications running on those platforms.
Lookout ingests, analyses and surfaces threats in applications served up from public app stores. In addition, more than 300 side-load stores (non-public app stores) are tracked. As a result, Lookout has amassed an “Application Corpus” of more than 90 million mobile applications.
A recent IDC report ranks Lookout as a leader in Mobile Applications Security Testing (MAST).
Why Lookout chose to partner with Appurity.
“Appurity is one of our closest partners. We’ve been working with their award-winning team very closely over the last 18 months to ensure they have the knowledge and skills to deliver the very latest developments in mobile cyber security. Technically, Appurity is fully-enabled to help customers in the legal sector and beyond to employ and deploy mobile threat defence using Lookout solutions.”
Burak Agka, Enterprise Sales Engineer at Lookout
What does Lookout look out for?
By applying data forensics, Lookout provides organisations (including many legal firms) with visibility into the risky behaviours of the mobile applications that these organisations make available to their employees.
Mobile apps access various artefacts on today’s phones, which incidentally have many more capabilities than most desktop devices. Smartphones have a complete operating system platform that’s continuously connected to the Internet. This means they’re communicating with hundreds of IP addresses at any one time. (That’s why your phone sometimes heats up in your hand.)
Security issues stem from the fact that applications can link to a wide range of artefacts. Things like your address book, calendar, microphone, camera, even your clipboard. All these artefacts represent a risk to organisations.
“If applications aren’t managed closely from a visibility perspective – i.e. if businesses don’t know what apps are capable of – then they’re opening themselves up to significant risk from a data perspective.”
Burak Agka, Enterprise Sales Engineer at Lookout
Challenging behaviours
Lookout’s experts have identified what they call “a push/pull of capabilities” in popular mobile applications. This may be caused by political, regional, economic or legislative reasons, but on any given release of an application behaviours can vary radically.
In March 2018, Instagram had certain IP addresses hard-coded into the application that were communicating with Russia. By March this year, Instagram was no longer talking to Russia. But a few months later that behaviour re-emerged in the next release.
While desktop and laptop application lifecycles are tightly governed in a corporate environment, there’s very little enterprise-grade mobile application assessment going on. This means no visibility into app behaviour for most companies.
The legal issues
Mobile security is vital in the legal profession. In the hands of a fee-charging lawyer or barrister, a smartphone poses a very significant risk. Such devices hold a plethora of important data, and we’re not just talking about personal documents like banking details. There are legal writs, financial information and legal data to account for too.
What’s most shocking is that so many legal companies are still unaware of the risks. Especially when everyday applications like Instagram and WhatsApp can access and transfer a phone’s address book, calendar, location and clipboard.
“In most conversations, our customers are surprised to hear about these threats. There’s a general knowledge gap across the legal sector. That’s a strong statement but it’s also my professional opinion. As of March 2018, pretty much every firm in the UK was in breach of GDPR – assuming their employees had Instagram on their devices, which is more than likely.”
Burak Agka, Enterprise Sales Engineer at Lookout
10 MARCH 2020 | OLD BILLINGSGATE | LONDON
Uncovering the evidence
You don’t have to look hard to find recent and relevant evidence of mobile applications posing threats to users.
In May this year, there was a high-profile news story when WhatsApp was compromised (for the umpteenth time). Basically, due to a piece of badly written code, if you missed a call in the specific version of WhatsApp, that allowed NSO Group’s Pegasus spyware to be pushed to your device.
Google patched the WhatsApp vulnerability within 24 hours. But it’s important to note that badly written code isn’t a threat. That’s just a vulnerability, which can then be exploited by malicious or nation state actors. These actors are the real cause of threats to mobile devices.
Check online and you’ll see NSO Group positioned as a highly sophisticated cyber-company helping governments to track down terrorists. Ultimately a force for good, right? But delve deeper and you’ll discover that they’re accused of human rights issues because their Pegasus software is being used by around 50 governments for the surveillance of their populaces. An extreme example being China where pretty much everybody and everything is monitored by the government.
According to the leading Lookout experts, organisations like NSO Group pose a major threat to highly regulated industries, such as the legal sector, where data sovereignty is of the utmost importance.
This isn’t a new phenomenon. Back in 2016, the Citizen Lab research organisation approached Lookout to report an MAPT (Mobile Advanced Persistent Threat) or a RAT (Remote Access Trojan) created by NSO Group.
However, it’s not all doom and gloom. Appurity and Lookout are helping a wide range of legal firms to safeguard against such threats and use mobile applications in a secure and productive way.
“At a nation-state level, we know data is being exfiltrated and activities are being monitored. NSO Group’s Pegasus spyware instigates a command and control (C2) service to control device capabilities – like the camera or the microphone. In the UK, a legal representative was targeted by this spyware via their phone’s WhatsApp application.”
Burak Agka, Enterprise Sales Engineer at Lookout