Today’s organizations are releasing mobile and Internet of Things (IoT) applications at a breathtaking pace. According to recent research, more than 4 million Android and iOS applications are currently in production, with thousands more being released every month.

IBM client Cisco, meanwhile, predicted that the estimated value of the global IoT market will reach $14.4 trillion by 2022 and that organizations will invest more than $2 trillion into IoT initiatives. This includes improving customer service, reducing time to market, streamlining supply chain and logistics projects, lowering overall costs and boosting employee productivity.

Key Findings From the Ponemon Application Security Testing Survey

If your organization has been slow to accept the risks associated with unsecured mobile and IoT applications, the results of our independently conducted “2017 State of Mobile & Internet of Things (IoT) Application Security Study,” sponsored by IBM and Arxan, suggest that now is the time to start.

Download the complete Ponemon Study now

Here are 10 key findings from our study, which included 593 responses from IT and application security practitioners.

1. Widespread Worry Over Mobile and IoT Application Security

Respondents are slightly more concerned about potentially getting hacked through IoT applications (58 percent) than mobile applications (53 percent), but both of the figures reflect high percentages. Despite their concern, however, few organizations are mobilized against these threats. Forty-four percent of respondents said they had taken no steps toward such a mobilization, and 11 percent were unsure whether their organizations were doing anything to prevent such attacks.

2. Material Data Breaches Result From Mobile and IoT Insecurity

While 11 percent of respondents reported that they knew with certainty that their organization had experienced a security incident as a result of insecure mobile applications, 15 percent indicated that they “most likely” knew and 34 percent reported that they “likely” knew that information. Respondents reported that they were less certain whether their organization experienced a material data breach or cyberattack due to insecure IoT applications. In total, 46 percent said they knew with certainty (4 percent), most likely knew (11 percent) or likely knew (31 percent) that their organization had sustained an attack that resulted from insecure IoT applications.

3. Mobile and IoT Applications Are Threats to Organizations’ Strong Security Postures

Seventy-nine percent of respondents said the use of mobile applications increases security risk significantly or very significantly, while 75 percent indicated that IoT applications had the same effect.

4. There’s a High Level of Concern for Insecure Mobile and IoT Applications

Seventy percent of respondents reported that they were very concerned about the use of insecure IoT applications. Similarly, 64 percent said they were very concerned about the use of insecure mobile applications in the workplace.

5. Organizations Are Not Confident That They Know All the Mobile and IoT Applications Being Utilized in the Workplace

Surprisingly, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) in their organization’s ability to keep track of all the mobile applications their employees use. Even more concerning, 75 percent are not confident (38 percent) or have no confidence (37 percent) that they know all the IoT applications in the enterprise. However, respondents estimated that employees in their organizations actively use, on average, 472 mobile and 241 IoT applications.


6. Potential Incidents and New Regulations Drive Budgetary Growth in Application Security

Only 30 percent of respondents said their organization allocates sufficient budget to protect mobile applications and IoT devices. If the organization experienced a serious security incident, 54 percent of respondents indicated that they would most likely consider increasing their security budgets. Meanwhile, 46 percent of respondents said their organization would likely increase IT budgets to prepare for new regulations, and 25 percent reported that media coverage of a serious data breach would encourage their organizations to do the same.

7. Rush to Release Is the Primary Reason Why Mobile and IoT Applications Contain Vulnerable Code

Sixty-nine percent of respondents cited pressure on the development team as the primary reason why mobile applications contain vulnerable code, and 75 percent pointed to the same issue as a source of vulnerability for IoT applications. Accidental coding errors in mobile and IoT applications also result in vulnerable code, according to 65 percent of respondents. A lack of internal policies or rules that clarify security requirements can also negatively affect application security.

8. There Is a Lack of Urgency to Address Risks

Only 32 percent of respondents said their organization urgently wants to secure mobile applications and 42 percent said they feel similarly pressured to secure IoT applications. This lack of urgency may be due to a low application security budget, or an organizational failure to delegate data protection to a dedicated IT leader. Rather, application and data protection reside in lines of business, development or engineering.

9. Application Security Testing Is Performed on an Ad-Hoc Basis, If at All.

Organizations may recognize the risk, but, as mentioned above, many are slow to react. This lack of urgency is reflected in mobile and IoT application security practices: Thirty-five percent of respondents said their organization did not preschedule application security testing, while 26 percent indicated that their company failed to conduct testing at all. Nearly half (48 percent) reported that their organization did not test of IoT applications.

On average, only 29 percent of mobile applications and 20 percent of IoT applications are tested for vulnerabilities. An average of 30 percent of mobile apps and 38 percent of IoT apps tested contained significant vulnerabilities.

10. Application Security Testing Is Frequently Delayed Until Production

Fifty-eight percent of respondents said their organization typically waits until production to test IoT applications and 39 percent indicated that mobile applications were tested during production.

Learn More About Application Security Testing

To learn how your organization can combat the mobile and IoT risks identified in our study, please watch the on-demand webinar. You can also download a complimentary copy of our comprehensive study results.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…