In 2015, the mobile app is king. The applications we download on our mobile devices entertain us, keep us in touch with our loved ones, show us who’s single nearby, share anything we want about our lives with the world – and so much more. And thousands of new applications are added to the marketplace. Every single day.
There’s a 1991 ad from Radio Shack depicting “great prices” for all the things we now use our cell phones for. ‘High-tech’ devices like s VHS camcorder, a discman, a tape recorder are proudly displayed – all technologies made pretty much obsolete with a variety of handy applications on our much more compact and relatively cheap mobiles.
It’s an exciting time to be a part of the app economy – But there’s a major point of concern that many app developers are choosing to ignore: mobile app security.
Organizations developing apps, whether just for in-house use or for a wider consumer base have a lot of catching up to do to bring the level of security integrated within apps up to the high-caliber features available on the market today.
Today, this is the sad state of mobile application security. We have 33% of organizations who never test the mobile applications they develop and 40% of enterprises – including Fortune 500 companies – who were found to not protect the customers they’re developing for. We have around 11.6 million devices vulnerable to attack, according to the latest Ponemon study on the State of Mobile Application Insecurity. And with only 50% of the same organizations given any budget at all towards mobile appsec, it’s no surprise that it gets little attention.
What’s the Big Deal?
Reports have stated that up to 95% of mobile applications are vulnerable, with a median number of 6.5 vulnerabilities per app. At the same time, mobile applications are constantly added to the market, and with an average of 36 apps downloaded per smartphone user, it should come as no surprise that a few apps out there are bad apples.
And whether you’re working on Android or iOS, your workload isn’t lessened when it comes to security testing for either one of them. Sure, we’ve just had (are in the midst of, more realistically speaking) the Stagefright vulnerability scare – but we also had an SMS scare on iOS just this past May.
The platform you’re developing for doesn’t lessen the workload in terms of security testing and developing applications securely from the get-go. While there may be more ‘dirt’ on Android than iOS, due to Google’s lack of oversight in its app store, lax app permission policies, or even the insecure yet standard browser used by many Android devices, it doesn’t get you out of doing less security testing when developing an iOS app. Because in the end, even Steve Jobs baby isn’t a fortress – hackers have been relentlessly trying to get in through apps since iOS and the iPhone was launched.
As users use their mobiles in more and more different ways, we as the developers and defenders behind the application need to pay special attention to making sure the correct security steps are being done.
As you can see, people are using their smartphones in ways that could easily leave their information vulnerable if the apps aren’t correctly secured. Whether they’re your customers or employees, the breaches that can happen by releasing insecure apps can be detrimental to your reputation, your bottom line, and your future as an organization.
Why is Mobile AppSec largely ignored?
There are several factors at blame for the lack of attention given to mobile appsec. While many of the reasons don’t stem from similar factors around software and web application security, the main reason is very similar: The organizational focus is put on providing better features, faster, over making sure the features don’t cause security concerns.
The Ponemon study also found that many organizations wait too long to perform security testing or use it too infrequently to make a difference. But, Larry Ponemon says, “ retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work.”
Before we get into best practices for mobile AppSec, we need to reiterate why it is important, and what’s at stake if security isn’t taken into careful consideration during application development.
Security considerations are especially important for mobile applications due to their wide array of uses and implications within the organization and outside of it. Data that was once by default kept within the organization can now be taken outside of the office, with lots of implications for how data gets treated by individual employees under little oversight.
Attackers going after mobile apps are usually looking for one of four things: Personally Identifiable Information (PII) – including employee information to be used against the victim, bank/financial data, user credentials for the phone or other online services, and finally, they could be trying to take over the device.
What other best practices would you add to the list?
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.