According to a report from the Ponemon Institute and IBM, mobile security is in dire straits. The two companies unveiled research last week showing an alarming lack of security in the mobile applications that companies build for their customers.
The report, called The State of Mobile Application Insecurity, found that while companies happily invest money in developing exciting new features for mobile application users, they are more conservative when it comes to spending money on cybersecurity within those applications. On average, firms spend $34 million per year on mobile app development, but only 5.5 per cent is currently allocated to security, the report said.
Even more alarming is how unevenly that security money is distributed; 50 per cent of companies have no mobile application security budget at all.
We have seen several examples of poorly developed security protections within mobile applications. Last September, McAfee researchers reported a flaw in several well-known retail apps from companies including Costco and Walgreens, which permitted attackers to fool the app into downloading malicious code from a website embedded into a QR code.
In January 2014, a team of white hat hackers used a previously-published exploit in the Snapchat app to pilfer 4.6 million usernames and phone numbers from the service. That same month, security researcher Daniel Wood released details of a security problem in the Starbucks mobile app for iOS that stored the username, email address and password elements in clear text on the phone.
In June 2014, researchers showed how they could bypass two-factor security in PayPal’s mobile app.
The stakes are getting higher for mobile app security. In its malware threat report for 2014, published in February, McAfee warned that poor programming practices by mobile app developers are still exposing users to SSL vulnerabilities, enabling their secure sessions to be attacked. The company, which believes that mobile malware generation kits will soon be offered on the dark web, says that it’s seeing around 700,000-800,000 new variants of mobile malware each month.
Security and privacy are separate but linked, and there are several cases of privacy being breached within mobile apps. Canada’s federal Privacy Commissioner criticized WhatsApp in January 2013 for forcing users to grant it access to their entire contact directory if they wanted to use the program. BitDefender published a report later that year that said around 12 per cent of all Android apps breached privacy. The apps granted access to phone numbers, upload locations, email addresses and browsing history. 7 per cent of them also read the user’s contacts.
What is causing companies to release such buggy, insecure, and privacy-threatening mobile software? There are two reasons.
When it comes to privacy, apps that can persuade you to hand over your personal data are good for business. Uploading contact directories enables apps to target new customers, for example. And data about where you are and what you’re doing is a valuable commodity. Unfortunately, if an employee installs an app that doesn’t respect their privacy, and also happens to have enterprise data on that phone, it could threaten a CIO’s organization.
When it comes to factors that hinder security, market pressures rank at the top. The mobile app marketplace is a fast-moving one, and companies that take too long to release or refresh their products risk being left behind. With mobile users so fickle, and with phone screen real estate at such a premium, it’s important for apps to be as shiny and interesting as possible.
Two thirds of respondents to the IBM/Ponemon study said that the security of their apps is often put at risk because of customer demand or need. 77 per cent cite “rush to release” pressures as a factor that can lead to vulnerable code.
That is at odds with the drivers for cyber security, though, which focus on careful testing and quality assurance. And unless some way can be found to reconcile the two, the headlines about mobile data breaches will continue to come – and the personal data will continue to flow into the wrong