HP released its 2013 Cyber Risk report this month and it’s not looking pretty. As all the recent news stories about hacked sites and data leaks might suggest, may developers and companies still struggle with app security. The issue extends past web security and well into the mobile ecosystem, effecting both native and hybrid apps. Here are a few stats to get us started:
- 46% of mobile apps don’t use proper encryption.
- 56% of the applications tested exhibited weaknesses to revealing information about the application, its implementation or its users.
- 74% of apps exhibit unnecessary permissions.
- 80% of applications are vulnerable to misconfiguration vulnerabilities.
- Hybrid development frameworks for mobile apps don’t address many well-known security issues.
Jacob West, CTO of Enterprise Security Products at HP, told eWeekly that the issue of mobile security is even more concerning because developers aren’t taking advantage of the tools they already have at their disposal.
Mobile developers now have the benefit of being able to learn from the security experience that the Internet industry has gained over the last decade in terms of best practices. Going a step further, many of the toolsets and frameworks that mobile developers use today typically have encryption capabilities built-in.
“We don’t see mobile developers having to roll their own encryption in an ad hoc way,” West said. “That’s an area where developers in the past always made mistakes.”
The problem, West notes, is that many developers don’t have the high-level expertise required for deep security testing. On top of that, as an app moves away from the development team, other issue can be introduce to compromise it’s security.
“Even if developers build their code perfectly, and even if the initial configuration that comes out of development is secure, then there is still the opportunity for an operations person to alter the configuration and introduce insecurity that wasn’t present during the development and testing period,” West said.
West sees the application misconfiguration issue as a significant concern. More communication between developers and operations people is needed to mitigate the risk, he said. The operations people need to be more aware of the way applications are built and need to be properly configured, and developers need to make sure that operations people don’t get the opportunity to introduce risks that aren’t necessary, he advised.
Paying attention to mobile app security extends by security testing and into the realm of user experience. If you didn’t hire a security expert for testing, odds are you’ll find vulnerabilities once your app is available to the public. In the best case scenario, a friendly hacker will discover a vulnerability and quietly contact you about the issue. The worst case scenario ends in a compromised app, leaked user data and an ugly media hit.