Abandoned mobile apps, domain names raise information security risks

Whether it’s an unfortunately short shelf life or a discontinued need, mobile apps are often abandoned by their creators who sometimes move on to a bigger, better deal. 

Should the domain be abandoned by its creator, a lot of domain-specific data is left out in the wild. The apps can still contact custom domain names for arbitrary tasks like configuration changes, application updates or publishing information. 

The traffic from a mobile device that is still trying to connect to an old and expired domain exposes lots of personal information — contact data, text messages, pictures, GPS data and call logs all sitting at risk of an attack.

Though it’s not necessarily a new issue in information security, it is a growing trend that should raise some concern, particularly with mobile apps. Because of the way everyone uses cloud services, this old habit can create new risks that not many people are paying attention to, said João Gouveia, CTO of Anubis Networks.

“When you have devices, software or anything that depends on external domain names and any of those domains are dropped, anyone can grab that domain name,” Gouveia said.

If an adversary is able to access that domain, they have control over that infrastructure. And Anubis Labs has found this to be much more common of late. Of particular concern to Gouveia is that a user can download apps on either a personal or corporate device, potentially putting enterprise security at risk.

“Users download apps, but after a period of time, the developer decides to no longer maintain the domain,” said Gouveia. They let the infrastructure that maintains that app collapse, and attackers take advantage of the absence of that infrastructure.

Given the number of devices that communicate with external domains about everything from door alarms to room temperatures, security practitioners should certainly pay closer attention to mobile apps.  

“The apps themselves are still in operation, so the dropped domain may not have a functional impact on the application. But if the dropped domain is compromised, it can still leak out that data,” Gouveia said.

Protecting against abandoned domain names

From a security perspective, though, is this a growing trend or another hyped up potential threat? Is orphaned traffic a risk to your business, and how can you protect against it?

“Protecting is really hard,” Gouveia said. “The biggest challenge is the ability to detect it — to identify situations where internal software is trying to reach out to domain names that don’t exist and then block access to those domains.”

Even in the cases where you can detect it, “system administrators won’t have control over applications,” Gouveia said. Appliances rely on the domain for updates, but they don’t validate the origin of the updates.

If they can’t do much to help validate the update’s origin, what is the solution?

“System administrators have to be cognizant of monitoring for malicious traffic, but they are not paying attention to this attack surface,” Gouveia said.

Often these issues are a result of misconfiguration or someone forgetting to renew a domain name. A good place to start, said Gouveia, is by making sure you have a better understanding of the devices on the network and how those are supported by the developer of the software.

Then use technology to defend against human error. Only give employees laptops that have a predefined environment, and don’t give administrative privileges to users, said Gouveia. Don’t allow users to arbitrarily download applications.

If all else fails, you can try mobile management solutions.