Why Mobile Apps Are Not Getting More Secure

Carl Weinschenk


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

Last month, Veracode released a supplement to its 2015 security report that focused on application development. The report showed that four of five applications written in PHP, Classic ASP and ColdFusion failed at least one of The Open Web Application Security Project (OWASP) Top Ten, a list of security benchmark best practices. Put more simply, the research suggests that applications – many of them mobile – are awash in vulnerabilities.

The research found that one scripting language is riskier than two other common approaches.  “In the side-by-side comparison of programming languages, we found that PHP was far more vulnerable to the issues of cross-site scripting and SQL injection than Java and .NET,” Chris Wysopal, Veracode’s co-founder, CTO and CISO says.

The intricacies of which scripting languages are more vulnerable than others is very important to developers and security professionals. For others, however, the question is a bit simpler: Is there an epidemic of insecure applications running on the mobile devices, many of which handle corporate communications and data?

Wysopal thinks he has the answer, and it’s one that enterprise security executives are not going to like:

“[O]ur finding that 87 percent of Android apps and 80 percent of iOS apps have cryptographic issues shows that mobile developers have a long way to go in terms of meeting basic standards for building secure apps.”

Is this feeling shared by others? Joshua Wright, the senior instructor and counter hack technical director for the SANS Institute, thinks it is.

“Frequently, developers don't have a strong understanding of the threats associated with mobile device platforms or the app development frameworks they utilize,” Wright says. “This, combined with the quick-to-market app delivery model, has led to hundreds of thousands of insecure apps throughout the iOS and Android app stores.”

Two megatrends in telecommunications have led to this point. The first is that the explosion of mobility has limited the options for securing data and applications. In short, the old model, in which firewalls protect what is within the enterprise and very select, and generally non-mission-critical, apps and data are allowed beyond the electronic barrier,  no longer exists. The second trend is BYOD. The reality is that many of the applications used by people for their employment are consumer apps that don’t have as high a level of security as those built from the ground up for the enterprise.

This is a complex new mobile security world, but clearly not a hopeless one from the security perspective. The reality, according Robert Gravelle, the owner of Gravelle Web Design, is that the core problem is the users, not the technology. Device portability and over-the-air updates lend themselves to hacking, he says.

“Security to a large extent falls onto the user. The widespread practice of device rooting by Android users is only increasing risk because it circumvents the security restrictions put in place by the operating system,” Gravelle explains.

What Can Be Done to Improve Mobile App Security?

The insecurity of mobile life has a variety of causes, ranging from technological shortcomings to user apathy, ignorance and naivety. The question is what can be done. On the technical front, Wysopal suggests, education is key. He provided a very good indicator of the first step in moving forward. Since Java and .Net developers have a stronger background in secure code than those using PHP, bringing the latter up to speed seems to be a good first step.

The problem may one of a willingness to be proactive. The press release on the Veracode study says that only about one-quarter of organizations have “mandated, ongoing secure coding education programs” in place.

The unfortunate reality, however, is that the need to produce applications faster works against the desire to train developers better and adequately test what they produce. If anything, the industry seems to be moving in the other direction.

“[T]he answer lies in better developer training and an understanding of what technologies can help protect an organization’s mobile ecosystem,” Wysopal says. “For developers, training is essential. For organizations with a mobile program, they should consider implementing an MDM system that allows policy-based controls such as automated application blacklisting, application reputation intelligence that is continuously updated and based on real-world risk profiles.”

The bottom line is that the battle against insecure applications is never-ending. That means that it likely will never be fully won—but could be fully lost. The best advice hasn’t changed during the past few years. It includes encryption, strong passwords and strong corporate security policies. Gravelle suggests that a good deal of work is necessary on a number of fronts.

“Unfortunately, like all security matters, it takes a multi-pronged solution,” he says.

Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Apr 27, 2016 10:27 AM Julie elangwey Julie elangwey  says:
Hi Carl, Within the remaining decade, cellular apps for big companies have long past from non-compulsory to ubiquitous. nowadays, the cellular panorama demands corporations maintain up with the ever-evolving software developments for every and every nook of the respective agencies. but, maximum in-residence developers, excited with the aid of an possibility to creatively clear up problems via mobile, tend to jump immediately into layout and improvement from a capabilities viewpoint in preference to focusing on protection from the get move. For massive enterprises, constructing and ensuring protection is an imminently complex hassle. cozy application development comes into play. Do your encryption and mobile device management protocols surely ensure protection? Is it even viable to construct comfy and scalable answers for cellular systems and gadgets? And if it's far, how will you put in force those solutions with out compromising employee pleasure or productivity? Reply
Nov 15, 2016 6:59 AM DevRabbit DevRabbit  says:
Hello, It's nice to know about Why Mobile Are not getting more secure due to automated tools to make Mobile App have come So it's Difficult to mange security. So it's better to develop a mobile App rather then using a Automated tools .Thanks for sharing the information Reply
Mar 30, 2017 5:07 AM redhat redhat  says:
It was a nice article , very informative , thanks for sharing Reply
Oct 17, 2017 11:07 PM Ludivina Colbert Ludivina Colbert  says:
Admiring the time and effort you put into your blog and detailed information you offer! Reply
Aug 31, 2018 4:38 PM mobile repair dubai mobile repair dubai  says:
sometimes mobile apps are doesn't provide any security to ur device. there is a risk of privacy. after reading your post properly I get useful ideas on how the apps are getting more secure. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.