Three surveys provide data on the state of mobile development and security, and the news is not particularly heartening.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iPerhaps the most interesting of the surveys is from Evans Data, which found that 56.7 percent of mobile developers follow security protocols set by their governments. The true nature of the result becomes more apparent when it is turned around: More than 40 percent don’t do what their governments tell them is the right thing.
The press release offered a vague but useful breakdown. In North America, 67 percent follow their governments. The percent in Asia was “only slightly less” but dropped to one-third in the combined Europe, Middle East and Africa (EMEA) category.
Of course, some important things are not clear. For instance, both the “mandate” and its enforcement may look very different in each country. It also is fair to note that it would be helpful to have data on how many developers are bypassing government mandates – but protecting security adequately via other means.
The second survey is from last September. Bluebox Security looked at a class of applications that are particularly important to business people in the age of bring your own device (BYOD) work structures. The survey found that 40 percent of Android apps and 60 percent of iOS apps “contained code that could enable admin functionality not intended for a normal user to access.”
This code could provide special privileges to inappropriate users. The firm also found that 70 percent of code was made by third parties. This, of course, represents a big risk.
The third survey is industry-specific. Security Intelligence looked at research recently released by Arxan. The firm looked at popular health care apps from a number of counties. They found that most apps “contain significant vulnerabilities.” The results were not good. For instance, the apps were measured against Open Web Application Security Project standards:
Included among the health apps tested were a sample of health apps approved by the U.S. Food and Drug Administration (FDA) and apps formerly approved by the U.K. National Health Service (NHS). Interestingly, 84 percent of the FDA-approved apps that were tested didn’t adequately address at least two of the OWASP mobile top 10 risks, and 95 percent of those apps lacked binary protection.
The rest of the report offers similarly sobering commentary.
The bottom line clearly is that not enough attention is being paid by developers to mobile app security. They may talk the talk about building secure apps, but they don’t appear to be walking the walk.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.