Mobile Device App Inventory Auditing with Nessus 6.5
In the world of mobile apps, if you are looking for malware, there are apps (yes, plural) for that. How about one that leaks sensitive content? There are apps for that, too. Pick any other mobile attack vector; chances are there is an app for that as well. Regardless of how well your Mobile Device Management (MDM) policies are set up, if mobile apps are not part of your equation, then you are missing a big piece of the problem. After all, a smartphone is only as secure as the most insecure app on it.
A smartphone is only as secure as the most insecure app on it
And with millions of mobile apps to choose from, it seems that the next big opening into your network might just be an app away. To get a sense of how bad this problem is, all you have to do is look around for mobile app reputation services. There is literally a cottage industry built around recommending whether a mobile app is good, bad or ugly.
It’s only natural for our customers to look for a solution to solve this problem. With the release of Nessus® 6.5, we are expanding our MDM auditing capabilities to audit mobile apps installed on mobile devices.
When we set out to tackle this problem, we identified four areas where Nessus could add value. First, provide a way to review which mobile apps were installed on which mobile devices. Second, provide a way to determine whether all required apps are installed. Third, provide a way to verify that only whitelisted apps are installed. And finally flag any non-approved or blacklisted apps. Nessus 6.5 meets all these requirements.
To use this feature, simply upgrade to Nessus 6.5, use the MDM Config template, and follow the wizard to set up the scan. The existing MDM .audit policies were updated to audit mobile apps to do the job for you.
The Nessus MDM audit policies are updated in version 6.5 to report on all installed apps.
Before you can start creating a policy around mobile apps, you first need to know what kinds of apps are installed on the mobile devices. The Nessus MDM audit policies are updated in version 6.5 to report on all installed apps.
As you start tightening your mobile app policy, you may want to make sure that certain apps are installed on all mobile devices managed by your organization. For example, you may have a requirement to have an anti-virus app or a VPN app installed on all devices. The updated audit policies will help you do that.
Another variant of the required apps feature is the whitelisted apps feature. For example, your organization might decide to approve any app from Google. Therefore instead of approving each individual app, you could have a blanket approval for all apps from Google with a filter such as Google .+. Any app that is not part of the whitelisted pool of apps will be flagged.
And finally, there are certain apps which shouldn’t be installed on mobile devices under any circumstance. This could be due to concerns around malware, privacy or even network bandwidth consumption. Any app that is part of a blacklisted pool of apps will be flagged.
XcodeGhost affected apps
The updated audit policies will also help you look for XcodeGhost affected apps.
Sometimes the best features write themselves and the use cases for them just drop out of the sky. When we set out to implement the blacklisted apps feature in 6.5, XcodeGhost was not even on our minds, and yet when Nessus 6.5 ships, this might be the most important use case for this new feature. The updated audit policies will also help you look for XcodeGhost affected apps.
How are whitelist/blacklisted apps defined?
Now that you know it’s possible to create a blacklisted/whitelisted pool of apps in Nesssus 6.5, the next question you may have is how does one go about configuring these apps? The answer is pretty straightforward. The list is essentially a comma-separated list of apps configurable through the Nessus UI for that specific .audit.
Here’s an example:
Note that it also accepts and regexes version numbers, which is a very powerful way to blanket approve/disapprove apps either by app name or version number. By default, the lists are not defined (.*) and will report a PASS result.
Which MDMs are supported?
Nessus 6.4 includes MDM auditing capabilities for MobileIron and AirWatch, and Nessus 6.5 extends those capabilities to audit Mobile Apps. Nessus 6.5 also includes the ability to audit mobile apps with Apple Profile Manager.
If you watch Nessus releases closely, you may have noticed that Tenable’s mobile story is steadily growing. We first released the capability to detect mobile device vulnerabilities including jailbroken devices; we then followed it up by integrating Nessus with MDM platforms such as MobileIron. And just last quarter we took our integrations to the next level by auditing the MDM policies themselves. Now we are adding the ability to audit mobile apps installed on mobile devices. We’re not done! When it comes to auditing mobile devices, we are just getting started.