In today’s race to build the latest and greatest mobile applications, developers and companies building the apps are increasingly zeroing in on what attracts users to them. Is it their usability? Their gamification? Is it their aesthetic design, or their ability to provide users with yet another social platform to chat with friends and like-minded hobbyists?

While all of these aspects are important, there is one feature that is being severely overlooked, although its power to attract and retain users is enormous: mobile security.

Data Breaches Growing in Size and Scope

Data breaches are increasingly becoming one of the largest topics of concern for today’s consumer. In 2014, more than 1 billion personal data records were compromised by cyberattacks. Although we’ve done a fantastic job securing the computers and servers that have traditionally housed our sensitive information, we are neglecting to devote the same attention to our mobile apps — and cybercriminals are waking up to this opportunity.

The Ponemon Institute recently teamed up with IBM to look into just how secure the apps many of its largest and most trusted organizations are building for their customers are. What they found was extremely unsettling.

Mobile Security Survey Findings

In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind. What they are not doing, however, is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.

Among the more than 400 organizations studied — nearly 40 percent of which were Fortune 500 companies — almost 40 percent of them aren’t scanning the code in their apps for security vulnerabilities, leaving the door wide open to the potential hacking of sensitive user, corporate and customer data. The average organization tests fewer than half of the mobile apps it builds, and a whopping 33 percent of companies never test their apps.

While worrisome, this isn’t surprising, given the tremendous deficit in mobile security investments and attention. While each company spends an astounding average of $34 million annually on mobile app development, a full half of these companies do not devote any budget at all to mobile security. Take a minute to reflect on that finding. They devote less of their budget to security than you devote to purchasing a $0.99 emoticon package for your mobile phone.

Ongoing Pressure of ‘Rush to Release’

Yes, the pressure on mobile app development teams to rapidly build and deploy code is tremendous. For example, 65 percent of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 percent cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.

However, shouldn’t building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them? After all, retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies.

Our demand for new and better mobile apps — and the lack of attention being paid to their security — is unintentionally opening us up to cybersecurity hacks and data breaches and putting our sensitive and private information at risk.

As evidenced by a number of high-profile security breaches in recent months, cybercriminals are now turning to mobile as their attack vector of choice. Who could blame them? This lack of testing and budget, compounded with the pressure to rapidly deploy mobile apps, is further intensified by a dearth of security training and education.

Employee Education Must Accompany Technological Solutions

Today, the average developer has less than two years of experience. Seventy-three of the organizations studied cite a lack of understanding and training on secure coding practices, saying it’s a big reason why mobile apps contain vulnerable code. Despite the fact that all the organizations studied are currently building mobile apps, only 41 percent of them said their company had sufficient mobile security expertise.

There is no doubt that mobile apps will continue to evolve and become more ingrained into our daily lives. What cannot be overlooked, however, is the increasing security risks as cybercriminals become more sophisticated and aware of the numerous exploits opening up due to our lack of focus on mobile security. Technologies such as IBM MobileFirst Protect™ threat management and IBM Security AppScan Mobile Analyzer™ can help organizations combat the inherent risks around mobile security.

However, we should be building security into apps now, rather than reactively doing so after cybercriminals have had the time to fully exploit the vulnerabilities that exist today.

Research conducted by Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read