Security Experts:

Enterprises Warned About Risky Connected Third-Party Apps

More than a quarter of the third-party apps used in enterprises are risky, and one of the most problematic are connected cloud applications, according to cloud security company CloudLock.

CloudLock CyberLab’s Cloud Cybersecurity Report for the second quarter of 2016, which is based on the analysis of over 150,000 unique apps and 10 million users, shows that the use of third-party apps has increased 30 times over the past two years.

The security firm pointed out that organizations must not neglect a very important aspect when addressing the issue of “shadow IT,” the term used to describe applications and systems used by employees without approval from IT security teams. One technology that can introduce serious risks is OAuth, an authentication protocol that allows users to approve apps to act on their behalf without sharing their password.

The problem, according to experts, is that OAuth-connected applications can have extensive access to corporate data. These types of apps can request permission to view, delete, transfer and store corporate data when enabled using corporate credentials, which is why it’s important that organizations identify these applications, particularly those that pose the highest risk.

“On a daily basis, employees are utilizing apps without notifying IT, and authorizing OAuth connections through their corporate credentials. If these apps are malicious by design, or the connected application’s vendor is compromised, this opens the door to cybercriminals deleting accounts, externalizing or transferring information, provisioning or deprovisioning users, changing users’ passwords, modifying administrator’s settings, performing email log searches, and more,” CloudLock said in its report.

Across all the industries monitored by CloudLock, on average, a total of 733 third-party apps are connected to the corporate environment in each organization, with the higher education, technology and media sectors at the top of the chart.

Of the 156,000 third-party apps that have been granted access to corporate systems this year, security teams classified 27 percent as “high risk.” Experts noted that the percentage of high risk apps connected to corporate systems is roughly the same all around the world.

The list of top 10 risky apps includes various games, music players, the Goobric Web App, and the Pingboard employee directory software. The most risky application is the mobile strategy game Clash Royale. While these apps are not necessarily risky by nature, they can represent a serious problem if they are compromised – mainly due to their extensive access to corporate environments and the high number of privileged users.

In the enterprises analyzed by CloudLock, more than half of third-party applications have been banned due to security concerns. The top 10 banned apps are WhatsApp, Zoho Accounts, SoundCloud, Sunrise Calendar, Power Tools, Pinterest, Free Rider HD, Airbnb, Madden NFL Mobile and CodeCombat.

Related: Broadly Shared Files a High Risk for Enterprise Data

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.