A study released Monday by application security testing vendor Veracode Inc. shows mobile apps aren't getting cryptography right. Issues related to cryptography affect a sizeable number of mobile applications, with 64% of Android and 58% of iOS applications left vulnerable, according to the State of Software Security report.
The report noted that "these are common coding mistakes that can be readily fixed." On the other hand, one of the leitmotifs of the report is that even the simple-to-correct errors remain unaddressed in many organizations. "For six consecutive quarters," the report noted, "the percentage of applications affected by SQL injection has hovered around 32%."
Chris Eng, vice president of research at Burlington, Mass.-based Veracode and a primary author of the report, expressed dismay at the prospects for mobile security if simple, "pre-mobile" ailments aren't decreasing. "If we can't get SQL injection worked out, what chance do we have with more complex things?"
The consensus on mobile app security
The Veracode findings echo a growing consensus that app security is the next significant frontier for mobile security.
During the CSO panel at the recent RSA Conference 2013, Howard Schmidt, former special assistant to the president, cybersecurity coordinator and White House official, suggested that bring your own device (BYOD) was pushing mobile security concerns to prominence. "The BYOD train has already left the station," he said. Not only are people carrying a personal device for work, they are carrying multiple devices: An Android phone for calls and email, an iPad Mini for content browsing and searching, and a Windows tablet for more complex mobile workflows.
The solution is not the mobile security tools we've seen so far, many believe. When presenting during the Cloud Security Alliance session at RSA, the mobile device management (MDM) approach was quickly discounted as a panacea for mobile security by Vic Morris, CEO of Washington, D.C.-based Vordel, who stated, "MDM is only the beginning. While MDM is an overloaded term, it mainly brings visibility into the environment but remains very reactive in terms of managing risk as it typically focuses strictly on the device, not the apps or data. Plus, controlling a whole device as a single unit simply won't fly for BYOD."
During an RSA Mobile Security Shootout session, participants argued that just as we've seen the Microsoft Windows world improve its security posture by dint of a multi-year focus on application security, the mobile space is proving to be no different. These platforms too can be more secure if we focus on the apps.
"An increasing number of enterprises are moving beyond mobile email and calendar apps to leverage other mobile apps as a means to increase their employees' productivity," said Eric Schou, senior director of product marketing at Sunnyvale, Calif.-based Good Technology. "Based on results captured in a recent activation report from Good Technology, this BYOD trend is being led by financial services and business/professional services industries -- with these two industries making up more than half of device activations -- followed by the retail, manufacturing and energy/utilities industries. These industries are looking to mitigate the risk of breach and data loss by selecting mobile workflow apps that have been developed, tested, deployed and managed with secure collaboration in mind."
While that may be true, much of the mobile application development work is building on shifting sands. Jeff Williams, CEO and founder of Columbia, Md.-based Aspect Security, pointed out that "90% of apps are built from a collection of libraries" and referenced another Aspect Security report showing that 28% of downloaded libraries were vulnerable and that half of the Fortune 100 companies use one or more of these vulnerable libraries in production code.
Dino Dai Zovi, CTO of New York-based Trail of Bits Inc. said, "We are missing the mark for future threats on this new platform."
"The reality is we have little to no control over the hardware and the operating system, so we can only really address issues at the app layer," added Charlie Miller, security research engineer at Twitter.
About the author
Sean Martin is a four-term CISSP and 25-year technology veteran. Write to him at firstname.lastname@example.org.