Mobile apps are ubiquitous now, and they offer a range of business benefits, but they also represent one of the most serious security risks ever to face the enterprise. The mixing of devices and software for work and leisure opens up many potential avenues for attack, but even purpose-built enterprise apps are shipping with woefully inadequate security protections.
Did you know that mobile apps typically ship with between one and ten bugs in them?
According to research by Evans Data, only five percent of developers claim to ship apps with zero defects, while 20% ship with between 11 and 50 bugs. Even when testing is conducted, it’s on a limited subset of devices and platform versions.
Many software developers simply don’t have the resources to conduct proper testing before release, especially with the pressure to reach the market faster than everyone else. It’s accepted that many defects will be discovered by customers and fixed later through updates, in fact 80% of developers push out updates at least monthly.
The chance of security vulnerabilities slipping through is very high. But that’s for an average mobile app developer, surely the enterprise takes security more seriously, right?
You may assume that mobile app security testing is a lot more stringent in the business world, but it’s a dangerous assumption to make. Enterprise app developers are subject to the same pressures, and they’re just as likely to forgo security in the rush to market.
Many organizations are still taking it on trust that the mobile apps they use are secure. We’ve looked at the importance of assessing third-party vendors before. Almost 40% of large companies, even in the Fortune 500, don’t take the necessary precautions to secure the apps they build for customers, according to research by IBM and the Ponemon Institute.
In fact, one-third of companies never test their apps at all, and 50% of the companies surveyed admitted they devote absolutely no budget to mobile security.
Consider that more than half of businesses are planning to deploy 10 or more enterprise mobile apps in the next two years alone, according to 451 Research. The potential risk here is enormous. More data breaches are inevitable. What’s worse is that many will go unnoticed for long periods of time. The impact on some businesses will be devastating, as security threats too often go ignored. To bury your head in the sand, is to expose your business to potential catastrophe.
If you’re only thinking about security at the end of app development, then you’ve already left it too late. You need to build in secure features and adopt stringent testing from day one. That means consulting or hiring security experts during the design phase, and empowering them to influence developers. Focus on data encryption, user authentication, and regulatory requirements.
Monitoring and reporting should be built in to your mobile apps. That way there’s an audit trail to maintain security. Reports can also produce all sorts of useful analytics that help guide future development in the right direction. It’s not just for security, it’s also an important part of ensuring ROI for mobile apps.
It’s worth noting that mobile security at a platform level is improving, but few developers are taking full advantage of the new features designed specifically to secure apps for the enterprise. There has to be some education here. Without input from InfoSec talent, and the right training for developers, there’s no doubt that insecure mobile apps will continue to flood the market.
At the end of the day, you will never know if your mobile apps are truly secure unless you test them. Proper mobile security penetration testing is essential. External testers with no vested interest and the right blend of expertise, are best placed to provide the insight you need to uncover dangerous vulnerabilities, and help you mitigate them.
If development continues after release, as your mobile apps are updated with new features and defect fixes, make sure that you consider the security implications and test each new release properly – it’s the only way you can really be sure that your mobile apps are secure.
This article was recently published in Network World.
Imagery credit: cutcaster