In several reports and statements by Gartner Analysts in recent months, red flags have gone up pointing to coming problems resulting from inadequate mobile application security.
Indications for Mobile App Security Trends
Full Security Scans, Not Just QA Testing
Last month, Gartner released news that an estimated 75% of mobile applications will fail basic security tests next year. Apps are currently tested more for their usefulness than for their security. Dionisio Zumerle explained in a recent press release that “Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”
Threats are in Misconfiguration, Not Just Misuse
Earlier in the Spring, again in statements by Zumerle, the biggest risk to app security was explained as coming from misconfiguration rather than malicious hackers or end user misuse: “”Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices.”
An Expanding Set of Devices, Not Just Smartphones and Tablets
Gartner’s research focus on mobile app security may have been spawned from earlier research announced in January of this year predicting that users could be streaming data to more than 100 apps and services each day within just a few short years. Brian Blau explained that we will see apps impacting “a wider set of devices, from home appliances to cars and wearable devices.” He further predicted that, by 2017, “wearable devices will drive 50 percent of total app interactions.” This could make apps a prime target for breaches in coming years.
Considerations for Mobile App Security
Predictions of a growing reliance on apps we can access on a watch or even through our refrigerator are not surprising. We already see this technology becoming available and we see a clear appetite for these devices in consumers. Companies are racing to develop apps to meet this demand but, as Gartner’s research shows, developing useful tools seems to be (so far) outpacing the adoption of adequate security with the tools. This may lead to problems in the near future.
Many apps today are using outdated or inadequate (for mobile) encryption. Testing is too often cursory and not performed from a mobile-first, comprehensive perspective. We simply cannot think of mobile app security in the same terms we have for network security or even desktop application security. We have a great deal more control over those environments and variables. Mobile app security is much more tricky, requiring more work up front and ongoing vigilance.
Entirely New Devices and Platforms, Not Just a Mobile Version
App developers and security testers must be able to follow the trail of possible use scenarios and implications of different devices. And the possibilities could soon be virtually endless. Issues that arise from new devices extend beyond just screen size. Each device, even updated versions of the same devices (like going from iPhone 5 to iPhone 6), raise usability and security concerns unique to that device. This alone makes mobile app security considerably more complex than anything companies have considered before.
Server Side Controls, Not Just App Security
Applications created for mobile devices also cannot be tested in a vacuum. Companies cannot assume the app will only be used as designed. When connected to internal systems, an unsecured app could provide a new access point for hackers to reach deeper within the system. Beyond thoroughly testing the app, connections to and from the app must be protected as well. This may require an extra level of validation, greater server side controls, and enhanced monitoring to protect from a great many more potential points of access once a mobile application in place to allow your customers or employees new ways to access your data or to provide you with theirs.
Collecting and Protecting Critical Information, Not Just Data Mining
Data management concerns may dictate your app’s usability. Many free apps essentially become data mining tools when they provide the data that is collected from users to give insight to sophisticated advertising and retargeting systems. This information can include emails, user names, even geographic information but, if information is shared from an app that has collected information that should be protected in any way (HIPAA patient information or PCI consumer data, for example), the potential for misuse or inappropriately shared information can go way beyond ethical questions. The compliance and legal risks necessitate a thorough, comprehensive, testing plan to protect the users and the company.
Talented developers are being tapped by innovative companies to create tools that have already revolutionized the way we live, work, and communicate. And the innovation seems to be poised for an explosion in coming years. It is exciting as consumers. But the implications of these new tools and a greater level of security concerns that arise are beyond anything most companies have yet to consider much less grapple with effectively.
Don’t hold back on the innovation that could be the next game changer in your industry. But don’t proceed without the right security plan and people in place. We have a team of mobile application testers who are leading this new field of IT security and can work hand in hand with your developers to ensure nothing is left to chance. Be sure your app is providing users the data and access they desire and will keep them protected, as well as your company, at the same time.