A new study from the Ponemon Institute has given some quantitative figures to a trend that many information security professionals were already aware of -- companies are not spending enough on the security of mobile applications.
Sponsored by IBM Security, the report, The State of Mobile Application Insecurity, shows an average of $34 million is spent on mobile app development, yet a meager 6% of this, or $2 million, is earmarked for security purposes. Perhaps even more distressing, the study found 50% of the 400 companies surveyed said they devote none of their mobile app development budget to security, while 40% said they weren't scanning their mobile apps for vulnerabilities.
The data suggests a troubling trend for companies developing their own mobile apps as well as their customers, according to IBM Security. "As long as the 60% that were scanning [for vulnerabilities] aren't finding issues, maybe you're OK," Jim Szafranski, vice president of mobile management at IBM Security, said. "But the reality is, they're finding issues -- a third of the time almost. So those 40% are living dangerously and releasing mobile applications that have vulnerabilities in them."
Szafranski said the study did not contain any information on whether or not companies were fixing the vulnerabilities once they were discovered. "I would guess that they addressed them, but that would just be pure speculation," he said.
According to the Ponemon study, the threat to mobile devices isn't necessarily that known pieces of malware are being put into these burgeoning applications immediately. Instead, the study showed that a variety of software flaws are pervasive in mobile applications, such as SSL libraries that are known to have vulnerabilities like Heartbleed.
"A lot of it is about the maturation of building these mobile applications in a secure way," Szafranski said. "Those vulnerabilities get opened, and you're doing that in parallel right as you're opening up the kimono of the business data and customer data onto these devices."
Enterprises' use of mobile apps has experienced exponential growth in recent years, yet companies are losing massive amounts of money to problems such as mobile e-commerce fraud because of the lack of security focus in application development.
"There's so much you can do by embracing mobility that people are in a hurry to do it," Szafranski said. "Your cycle of build, improve, launch, improve all has to happen in six months, not in two years anymore."
That "rush to release" is felt by 77% of respondents, according to the study. This at least partially explains the 73% of respondents who say they lack training or understanding of secure coding practices.
In addition, 82% of respondents see use of mobile apps as risks to their companies, despite the lack of investment around secure app development. Based on the study, IBM Security asserts that an organization that wants to reduce its security liabilities should control the use of mobile apps by its employees. But is such control realistic?
"That's a very good question, because mobile is so personal and the consumerization of technology has, in many cases, put your users ahead of you," Szafranski said. "But there absolutely are ways to improve both the visibility of what's going on in mobile and the control of it."
But even with proper BYOD and mobile device management policies that prevent unsecured networks or download insecure apps from untrusted sources, IBM said, users are still at risk from legitimate, authorized apps that contain hidden -- but very exploitable -- vulnerabilities. As a result, Szafranski said it's imperative that companies devote more resources to secure mobile app development.
A new open source security tool revealed a massive increase in Android app vulnerabilities
Learn more about how alternative Android browsers are putting users at risk