Mobile App Security Needs Improvement
By Samuel Greengard
By now, it's fairly apparent that the mobile genie is way out of the bottle. The growing array of mobile devices—smartphones, tablets and more—is transforming many facets of consumer and business life. Fortunately, business and IT executives are recognizing that they're increasingly the key to enterprise productivity…and long-term profits.
It's arguable that BYOD and mobile consumer technology have changed the enterprise and business processes more than anything else in the entire history of IT. Yet, they're also part of a growing problem related to securing data and systems. According to Hewlett-Packard's Cyber Risk Report 2013, mobility—along with open source web apps—creates threats that may not entirely register among enterprise executives, and even security experts.
HP found that 56 percent of the applications it tested reveal too much information about the application, its implementation or its users. Seventy-four percent of apps allow unnecessary permissions; and 80 percent of applications are susceptible to misconfiguration vulnerabilities. And hybrid development frameworks for mobile apps don't address many well-known security issues, notes the HP report.
Also reason for concern: 46 percent of the mobile applications HP studied use encryption improperly. HP found that mobile developers often fail to use encryption when storing sensitive data on mobile devices, rely on weak algorithms to do so, or misuse stronger encryption capabilities, rendering them ineffective.
HP recommends that CIOs, CSOs and others focus on eliminating opportunities for unintentionally revealing information that may be beneficial to attackers. It's also critical to focus on third-party code, particularly for mobile development platforms. And organizations must adopt more of a collaboration and threat intelligence framework in order to deal with the fast-changing landscape.
Smart CIOs will pay close attention to these alarming results—and concentrate on steps to remediate the growing risks. Nearly 80 percent of the applications reviewed by HP contained vulnerabilities rooted outside native source code. Even expertly coded software can be dangerously vulnerable if misconfigured. Clearly, it's time for organizations to review their mobile apps for the types of problems that HP's study finds to be frighteningly common.
About the Author
Samuel Greengard is a contributing writer for CIO Insight. To read his previous CIO Insight blog post, "Five Counterintuitive Ways to Spur IT Transformation," click here.