News

More Bad News for Mobile App Security

• By David Ramel
• March 23, 2015

New research from IBM sheds further light on the sorry state of mobile app security -- or, in the company's own words, the "alarming state of mobile insecurity."

The survey of more than 400 large enterprises conducted by the Ponemon Institute found 40 percent of respondents aren't taking necessary steps to secure the apps built for customers and many are doing a poor job of safeguarding corporate and bring-your-own-device (BYOD) assets from cyber-attacks.

The new report comes shortly after mobile app developers were blasted by security company McAfee Labs for ignoring known security flaws. And it was published last week just two days after FireEye Inc. reported that a study of popular Android apps on Google Play and iOS apps on the Apple store shows hundreds of apps are vulnerable to the FREAK attack.

Such vulnerabilities have contributed to 1 billion personal data records being compromised last year alone, IBM said, with some 11.6 million devices being affected by malware at any given time.

Various studies have laid the blame for lax security on developers and management.

"Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data," said IBM security exec Caleb Barlow in a news release. "Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks."

IBM said large companies spend about $34 million each year to build mobile apps, but only 5.5 percent of that budget is spent on app security. That equates to about $1.8 million in security spending annually, the study said, comparing that figure to the amount spent on other things such as pet costumes ($330 million) and Halloween candy ($2 billion).

Other findings in the IBM/Ponemon study include:

• 50 percent of companies have zero budget for security apps.
• 40 percent of companies don't scan mobile app code for vulnerabilities.
• The average company security tests less than half of the apps it builds.
• 33 percent of companies never test apps for security.
• 65 percent of respondents strongly agree that the security of mobile apps is sometimes put at risk because of increasing customer demand or need.

The study indicated mobile risks have increased alongside the growing popularity of BYOD practices leading to more devices connected to company networks that also connect to unsecured networks or download insecure apps from untrustworthy sources.

"Though most employees are 'heavy users of apps,' over half (55 percent) state their organization does not have a policy which defines the acceptable use of mobile apps in the workplace, and a large majority -- 67 percent -- of companies allow employees to download non-vetted apps to their work devices," IBM said. "Additionally, 55 percent of organizations say employees are permitted to use and download business apps on their personal devices."

To address the problem, IBM said it has introduced cloud-based MobileFirst Protect Threat Management tool to its MobileFirst Protect offering. IBM said it automatically tracks suspicious activity on mobile endpoints and instantly stops device malware upon detection.