(Editor's Note) Updated October 6, 2017: In response to this story, a WinZip contacted ZDNet: "WinZip does not send SMS messages. We aren't aware of any valid reason why Appthority would consider WinZip for iOS a security risk."
Update October 11, 2017: Appthority has defended their research, commenting:
"The list of blacklisted apps in the report included WinZip for iOS version 4.7.6, hash 3a4ffefa5badfe3cc5a6bd9c418ea438. Appthority's static and dynamic risk analysis determines the risk that is assigned to various mobile app behaviors.
Regarding the reported behavior, Appthority confirmed the presence of code that can send SMS messages in the app. The code appears to be present as part of the Google Ads library, observed in the function -[GADOpener openSmsComposer:]. Even if the code is not intended for use in normal operation of the app, Appthority considers its presence to be a risk as there may exist conditions where it can be activated.
Appthority's risk score was 7 for the 4.7.6 version of the WinZip app that enterprises blacklisted. This was calculated by the presence of behaviors including the above presence of SMS sending code, as well as others including cloud file storage, sending of PII, and jailbreak detection."
WhatsApp Messenger, WinZip, and Where's My Droid Pro have made the list for the most blacklisted iOS and Android apps in enterprise environments.
On Tuesday, mobile security firm Appthority launched the latest Enterprise Mobile Security Pulse Report, a glimpse into how enterprise players tackle mobile security and network threats by banning apps considered to be a threat from accessing corporate resources and platforms.
Corporations can blacklist mobile applications for a variety of reasons. Known security holes and vulnerabilities or ways for confidential information to be leaked, a lack of secure communication and encryption, and links to threat actors or countries known for spying campaigns can all be reasons for barring an app on corporate devices, alongside compliance issues.
However, in the age of bring your own device (BYOD) schemes and corporately owned, personally enabled (COPE) platforms, it is not always possible to prevent app installation, but IT admins can at least prevent these applications from connecting to their networks.
According to Appthority, in Q3 2017, WhatsApp Messenger, Pokémon GO, and WinZip were the top blacklisted apps for iOS, together with CamScanner. Poot-debug(W100).apk, an Android System Theme, Where's My Droid Pro, and weather software were the apps most likely to be banned on Android devices.
WinZip told ZDNet:
"We believe WinZip for iOS has been included in error. WinZip does not send SMS messages. We aren't aware of any valid reason why Appthority would consider WinZip for iOS a security risk.
WinZip software is very popular with enterprise accounts and security is our top priority. We have asked Appthority for any further details they can provide us and if a valid security issue has been identified in our iOS app, we want our users to rest assured that we'll take action to fix it as soon as possible."
The report suggests that Android apps were usually blacklisted because malware was detected, and iOS apps were most likely to be banned due to data leakage risks, sending SMS messages -- not necessarily with consent -- or transferring data including GPS locations and sensitive information without encryption.
As a whole, tools for Android devices were banned most often, while social media and communication apps for iOS are treated with suspicion.
Appthority says that based on "mobile risk scores" related to vulnerabilities and the risk of data leaks, Uber, WhatsApp Messenger, and Facebook Messenger are the riskiest Android apps commonly found in enterprise environments.
Facebook, Pandora, and Yelp on the iOS platform are the most likely to cause a security breach.
"Enterprise security teams need to understand which mobile apps are being used, the risks they bring, and how their peers are utilizing mobile threat policies to more effectively secure corporate data," said Domingo Guerra, president of Appthority. "With BYOD and COPE, many commonly used app-store approved apps are making their way into enterprises and posing risks to sensitive corporate data."
In July, Trend Micro and VMware announced a new partnership to tackle enterprise mobile security issues. The companies plan to create new solutions which will automatically detect and tackle mobile threats on corporate networks.