Excessive app permissions

IBM® MaaS360® Endpoint Threat Management identifies app permissions that are deemed excessive from the security standpoint of your organization.

Excessive permissions give your app access to private user data and allow that app to perform potentially dangerous actions. Many apps request permissions to access information that is not required for the app to function. For example, a calendar app does not require permission to access your microphone and camera. When you grant unnecessary permissions, apps can use those permissions to steal sensitive information such as location, contact information, and photos.

Supported devices
  • Android

Deploying endpoint security policies

Policy configuration

Configure and push EPS policies to detect apps that use excessive app permissions on managed devices.

Follow the steps to configure App Permissions settings.
  1. From the IBM MaaS360 Portal home page, go to Security > Policies.
  2. Open an EPS policy and then click App Permissions.
  3. Click Edit and then select Enable App Permissions.
  4. Configure the following settings.
    Setting Description Supported OS
    Permissions to be monitored The permissions that are considered as excessive.
    • Call Logs
    • Camera
    • SMS
    • Microphone
    • Device Administrator
    • Location
    Note:
    • Even though these permissions are all considered excessive, only the Device Administrator permission contributes to the user risk score.
    • You can use the plus (+) icon to add multiple permissions.
    Android
    Exempt System Applications System apps that are exempted from scanning for excessive permissions. Android
    Exempt App Catalog Applications Managed apps, which are distributed through App Catalog, that are exempt from scanning for excessive permissions. Android
    Exempted Applications App IDs of apps that are exempt from scanning for excessive permissions. Android

Policy assignments

Assign endpoint security policies to a device, user, device group, or user group from the corresponding workflows. For more information about policy assignments, see Configuring endpoint security policies.

Configuring risk rules

When excessive app permissions are detected, IBM MaaS360 creates a risk incident and then validates that risk incident against the risk rule to calculate the severity and risk score for devices and users. By default, the risk rule for excessive app permission is enabled in the MaaS360 Portal. You can use the Risk Rule Configurator to disable the risk rule or adjust the severity.
Note: This risk rule applies to Android devices only.
Follow the steps to configure risk rules for excessive app permissions.
  1. From the IBM MaaS360 Portal home page, go to Security > Security Management > Risk Rule Configurator.
  2. Configure the following settings.
    Risk rules
    • No of apps with excessive permissions

    Condition: Define the severity of the excessive app permissions.

    Default Condition
    If the number of apps with excessive permissions is... Then the severity is...
    More than or equal to 1 High
    Note: This rule considers the number of apps with excessive permissions rather than the total number of permissions violated at the app level. For example, the severity of the device that has two apps with one excessive permission is higher than the device that has one app with six excessive permissions.

What happens when excessive app permissions are detected in the device?

IBM MaaS360 supports the following detection and response capabilities for excessive app permissions.
  • The list of apps that use excessive app permissions in the Security app is displayed under App Security.
  • The users have options to either revoke app permissions or remove the app. Click the App Security tab to display all the apps with excessive permission where the user has options to either revoke app permissions or remove the app.

Tracking excessive app permissions on the Security Dashboard

Devices report excessive permission incidents to the IBM MaaS360 Portal in real-time. If those incidents meet the Risk Rule criteria set by administrators, MaaS360 generates a risk incident in the Security Dashboard.

Follow the steps to track security violations and incidents on the Security Dashboard.
  1. Go to Security > Security Dashboard.
  2. In the Top risk incidents widget, click the Affected devices numbered link.

    The affected devices with details are displayed.

  3. Click the username. The User Summary page displays all the risk incidents against the affected device.
  4. Click App permissions to view more details about that risk incident.
  5. You can also review the list of apps that used excessive app permissions for the last 30 days in the Excessive App Permissions Security Dashboard widget.
  6. Click a bar to view the list of apps that used the excessive permission.

For more information about other common widgets on the Security Dashboard, see Tracking security events on the Security Dashboard.