DOC RABE Media - Fotolia
Although users may often assume that the mobile apps they download are safe, more than 50% of developers surveyed in a new report admitted to using "shortcuts or temporary solutions" to produce their app faster.
The BlueBox Mobile App Survey from Bluebox Security, a San Francisco-based mobile security startup, polled nearly 300 mobile app developers and more than 400 consumers and illustrated a lack of focus on security during the development process. That lack of focus, along with development shortcuts and common coding errors are creating so many mobile application threats that BlueBox CEO Pam Kostka believes enterprises and users should simply behave as if their devices have already been hacked.
"Security for mobile application development is at best an afterthought," Kostka said. "The best trust posture is to assume your device is compromised at all times."
According to the survey, which was released Tuesday, 79% of developers agreed that mobile apps have become a target for cybercrime because of security flaws, and 74% of developers believed that most enterprise mobile apps are "moderately vulnerable" to mobile application threats. Perhaps even more troubling: 96% of developers admitted to using third-party software frameworks that were potentially unsecure.
By rushing their products to the market, Kostka said, these apps are not secure or ready for public consumption. In addition to a lack of basic security controls and privacy policies, many mobile apps contain glaring mistakes that make them vulnerable to attacks. For example, Kostka said two of the more common errors Bluebox has seen are developers who expose API keys in their apps or who leave their developer menus behind in the code.
Kostka said BYOD security is an issue for all devices and operating systems, and enterprises shouldn't put faith in the OS to protect their data. "We're seeing so many more attacks on iOS devices because it's the most popular platform for enterprises," she said. "You can't just trust the OS. Apple has done a lot of good things with security, but it's not 100% secure. And people think an iOS device has to be jailbroken to be at risk, but that's not true."
Pam KostkaBluebox Security
All of this adds up to major problems for companies, especially those who have BYOD policies, Kostka said. Using employee-owned mobile devices in the workplace is generally encouraged; however, this means companies have to educate employees about mobile application threats and proper security hygiene. If employees are careless or have insecure mobile apps on their devices, their employer can potentially suffer a breach or theft of sensitive data. Since companies don't have complete control of employees using their own devices for work, company data is at risk.
Bluebox Security is addressing these issues with a new software product called Bluebox for Consumer Apps, which is designed to improve BYOD defenses. The mobile security startup already offers protection for enterprise iOS and Android apps, but Bluebox for Consumer Apps focuses on the non-enterprise applications that often reside on BYOD devices in the enterprise and transforms them into "self-defending apps." Any application available in the Apple App Store or Google Play Store can be uploaded to Bluebox for Consumer Apps, which then applies an application wrapper to the mobile app. The wrapper provides encryption for data at rest, enterprise security policies, anti-tampering measures, mobile threat intelligence and other capabilities.
BlueBox said the application wrapping process is simple and requires just a single click, which won't add additional time to the application development cycle. Bluebox's survey cited the "rush to release" approach as the leading source of mobile application threats and vulnerabilities. When an app's development is rushed, it's typically due to customer demand and developer impatience. According to Kostka, implementing security checks and controls for mobile apps can add an average of six weeks to the application development process, and it can take even longer depending on what is found.
"Time to market is crucial for mobile app developers," she said. "Your app could become irrelevant during that six weeks."
There aren't any policies or standards policing mobile application development so security flaws are often overlooked when developers don't take the time to review their product. But considering 80% of BlueBox's survey respondents said they wouldn't download a company's mobile application if it was breached, going to market with major security flaws could be devastating for developers.
Kostka said most enterprises know that mobile app development falls short on security, but they're not taking enough action to properly protect those apps. "Companies have underinvested in mobile security in a rush to become mobile first, and now the bill is due," she said. "With mobile threats being discovered almost daily, and enterprises losing control over consumer devices, it's only a matter of time before a mobile hack is the root of the next major breach."
Bluebox for Consumer Apps will be available in December.
Find out how the Heartbleed OpenSSL vulnerability may pose risk to Android users
Find out more about how app wrapping works for mobile applications
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Unified Endpoint Management is getting a lot of buzz, but as always the devil is in the details.
Can application wrappers improve mobile security?
Jack’s 2015 MAM recap: The more things change, the more they stay the same... (Part 2 of 2)
Bluebox Security is no longer wrapping public apps, but there are other opportunities for MAM.