Understanding Today’s Mobile Software Supply Chain Risks

The concept of supply chain risk continues to rise to the forefront in government, and for good reason.  

According to a Ponemon Institute survey, 56 percent of organizations have had a breach that was caused by one of their vendors, and some agencies have begun identifying ways to curb the vulnerabilities in the supply chain.

The Government Accountability Office also recently published a report about how supply chain threats are present during the various phases of an information system's development lifecycle and could create an unacceptable risk to federal agencies.

In response, the Homeland Security Department has opened a risk management center, and one of its key goals is to bolster the security of the telecommunications supply chain. With more and more workers conducting business on mobile devices outside the perimeter, telecom supply chains are of particular interest now. In addition, National Institute of Standards and Technology recently launched its updated supply chain risk framework for public comment.

It’s Now a Software World in the Supply Chain

While government policies and guidelines are being created, there is much for federal leaders to understand when it comes to supply chain risk—without needing to wait for these directives.

For instance this year, the federal news cycle with regards to supply chain risk primarily fell into the hardware category, with the Defense Department prohibiting the use of equipment from certain Chinese telecommunications companies.

The reality is that supply chain risk is also a concern in the software frontier. Many software applications are built from open source solutions and multiple code libraries, which can cause unintended risks. These risks could pose threats by using a vulnerable open source library or by sharing data with advertisers, for example.

Most consumers of software applications don’t fully know how the apps were built—pointing to a need for more visibility into the components and risks that come with building the software.

The Supply Chain is Also in the Cloud

The global market for government cloud services will reach $49.2 billion by 2023, creating demand for systems and solutions to secure the cloud supply chain. This is mainly driven by government employees accessing data to be productive, much of which has moved outside of the traditional perimeter to the cloud.

Thankfully, efforts like FedRAMP enable agencies to embrace a standardized framework for cloud security. However, there’s always room for agencies to do more to ensure that all procured cloud products and services are truly secure.

Enabling mobility and the ability to access data seamlessly is great for accomplishing the mission, but mobile devices often access data over cellular and untrusted WIFI so it also causes a serious challenge to agency security teams who rely on perimeter provisions such as firewalls and secure web gateways—especially with an expanding threat landscape.

How the Threats Manifest Themselves

Typically, the threats come through as basic social engineering on mobile devices, which introduce a variety of new points-of-entry for attackers. Traditionally, hackers have used email as the avenue for phishing attacks on desktop, but on mobile, you must also take into account social media apps, messaging apps, personal email accounts and SMS.

From a mobile device perspective, these threats can easily manifest from these channels, and the malware can send phishing text messages to the phone to trick the user into installing software or eliciting sensitive information such as login credentials.

In addition, threats can manifest themselves into apps already approved in today’s app stores. For example, in 2015 researchers at Lookout reported on a piece of iOS malware called XcodeGhost discovered in a number of apps in a popular app store. The attackers were able to sneak the malicious code into some very popular apps without the app developers’ knowledge by compromising the app development tool used to recompile the apps and could have potentially impacted hundreds of millions of victims.

Solution: Visibility, Policy and Immediate Action

Many government agencies often don’t have full visibility into their software application landscape, and the potential threats that lurk there. As such, the mobile security teams at any federal agency need to gain visibility to understand what an app is doing behind the scenes, well beyond the UI for the end user, while ensuring user privacy.

In addition, agencies should ask themselves what data does the app access, how does it share that data, and what advertising SDKs does it use? All of these questions, and many others, paint a picture of the risks that an app may introduce.

From there, the next step is to create sound policies around mobile applications, as well as develop access control and vulnerability management efforts through post-perimeter security efforts that protect data that is collected on a government device and stored in the cloud.

This should include continuous conditional access at employee endpoints to ensure that policies are enforced at all times and device health checks are happening before authentication to agency resources.

Agencies also have the opportunity to select, based on their risk tolerance, policies that help ensure devices stay compliant with internal and external mandates. If a device exceeds the acceptable level of risk, as defined by the agency, new solutions will send a remediation message to the employee, flag the issue to the admin in the solution’s console, and log the employee out of any agency resources.

Tackling mobile device supply chain management risk on a policy and hardware level is certainly a priority. However, we have moved more into a software- and cloud-based world allowing malware threats to easily find their way onto the software of any device through the distribution channel.

By gaining more visibility, developing policies and taking immediate action beyond the traditional perimeter, federal cyber leaders can be highly proactive in securing their software supply chains.

Tim LeMaster is the director of systems engineering at Lookout.