Security experts have done a lot of fretting about how users may put company data at risk by downloading malicious or vulnerable mobile apps into smartphones they use for work. And now, a new report warns how businesses may be developing a lot of vulnerable apps on their own.
When it comes to mobile apps and security, IT needs to worry about both sides of the coin. First, IT must make sure user are working with mobile devices security and avoiding dangerous software.
And second, as many companies are developing mobile apps for their own customers and employees, it’s important to make sure security is taken into account during that development.
Companies are struggling with that later point, according to a recent study from HP.
Researchers looked at 2,000 iPhone apps developed by 600 different companies around the world. All of the apps studied were created for business-to-business or business-to-consumer commercial use, including apps for online banking and retail shopping.
The results after security testing: 86% of the apps were vulnerable to common mobile security exploits, as misuse of encrypted data, cross-site scripting and insecure transmission of data.
Security mistakes in mobile development
The most common mistakes leaving those apps vulnerable to security attacks included:
- failing to use encryption to protect data that is stored on a device
- failing to implement SSL or HTTPS properly to protect transmitted data
- accessing address books, messages and other sensitive data on a device without encrypting or otherwise protecting that data, and
- a lack of binary hardening to protect against information disclosure, buffer overflows and other incidents.
One big problem, according to HP: Developers aren’t making security a priority throughout the process.
If organizations aren’t thinking about security from the beginning, it’s likely those vulnerabilities will be built into an app and left there when it’s released to the public.