a total of $16.25 million from investors including U.S. Venture Partners, Venrock, Blue Coat Systems, and Knollwood Investment Advisory. Appthority doesn’t disclose its revenues.
Over the five-year period since Appthority’s founding, business attitudes toward mobile use and its restrictions have gone back and forth, Guerra says. IT departments had previously presided over in-house desktops and laptops equipped with programs they had vetted themselves. In the early mobile era, however, they were losing visibility over the apps in use, who had made them, and how they would behave, he says.
“The first approach was to try to be very restrictive,” Guerra says. Employees were issued company-owned devices pre-loaded with approved apps, and barred from using their personal devices.
But as the populace rapidly acquired mobile devices, the relationship between company IT departments and employees suffered some strains. Staffers pressed for permission to use their personal smartphones and tablets on company projects, and to download new apps to make their work more efficient. But that brought headaches for IT personnel, who couldn’t be sure that all those devices and apps were free of malware and other openings for corporate data leaks. Manually reviewing each requested app was very time-consuming, Guerra says.
“Some IT departments threw up their hands and gave up,” Guerra says of the period between the end of 2013 and early 2014. This led to a proliferation of app use. Other IT leaders took the stance, “If we can’t evaluate it, you can’t use it,’ Guerra says.
Since then, security shields such as MobileIron’s mobile device management system have made IT leaders more comfortable with the use of personal devices as workplace tools, Guerra says.
Appthority concentrates on risk-scoring the evolving ecosystem of apps, which may not only contain malware but can also include invasive functions that aren’t necessarily illegal. Consumers often grant app makers permission to use these functions when they agree to the long and wordy terms and conditions of a download.
Such apps can strip data from calendars, address books, photos, password lists, and other files on a smartphone or tablet, Guerra says. This personal data presents a security risk to employers, not only by revealing insider company information such as meeting details, but also because it can be used to fool a worker into taking actions that breach a company network. For example, a hacker can send a fake message in the name of a known colleague and induce the target worker to click on a malicious link. That’s the hacker’s opening gambit called “spear phishing.”
Guerra says these threats are arising in part from changes in the financial prospects for app developers. In earlier business models, an app maker would offer a free version with the aim of amassing big user numbers, which would then pay off when the app startup was acquired by a larger company. In the current era crowded with mobile offerings, Guerra says, app developers frequently try to earn money from their apps by raiding the data of users and selling it to advertisers or other third parties.
“The new app economy is almost based on user surveillance,” Guerra says.
A seemingly simple app that turns a smartphone into a flashlight can also be designed to rummage through the phone’s files, geolocation information, and other data, he says.
For the time being, Appthority’s risk-detection apps are only offered to employees of Appthority’s business customers. But the company is working on plans that may make the apps available to consumers.
As Appthority scans employee devices for signs of app-related risks, it picks up a sense of the practices and trust levels of these users. For one thing, the company deduced that staffers are letting their kids play with the same devices they use to do their work, Guerra says.
“In virtually every corporation, we see children’s apps all the time—-even on corporate-owned devices,” Guerra says. “That’s a new risk.”
People are less guarded when they download children’s apps than they are with apps aimed at the adult market, Guerra says. This opens the door to a serious risk—that users will download apps that aren’t what they seem. Appthority identified a fake Disney app offered on the Google Play store—complete with Disney characters, but bearing adult content.
While employees might have trouble relating to company messages about firewalls and network security, Guerra says, they’re starting to get interested in cybersecurity as news coverage increases about issues such as Apple’s court fight with the FBI to preserve the encryption on iPhones.
“Security is becoming personal,” Guerra says. Employees are now using Appthority’s apps to evaluate apps their kids could be exposed to, he says.
Yet employees now use an average of 80 to 100 apps, and few consumers will read through all the terms and conditions before they download a new one. As yet, there aren’t many publicly available tools to make it easy for consumers to learn which apps to avoid, Guerra says. He says he still sees an industry gap in employee education and risk self-management tools. That could be changing, he says.
“I think there’s more of a sense that teamwork is required” for company cybersecurity, Guerra says. “It’s not going to be just IT folks in their labs creating a solution for the whole company.”
