In today’s race to build the latest and greatest mobile applications, developers and companies building the apps are increasingly zeroing in on what attracts users to them. Is it their usability? Their gamification? Is it their aesthetic design, or their ability to provide users with yet another social platform to chat with friends and like-minded hobbyists?

While all of these aspects are important, there is one feature that is being severely overlooked, although its power to attract and retain users is enormous: mobile security.

Data Breaches Growing in Size and Scope

Data breaches are increasingly becoming one of the largest topics of concern for today’s consumer. In 2014, more than 1 billion personal data records were compromised by cyberattacks. Although we’ve done a fantastic job securing the computers and servers that have traditionally housed our sensitive information, we are neglecting to devote the same attention to our mobile apps — and cybercriminals are waking up to this opportunity.

The Ponemon Institute recently teamed up with IBM to look into just how secure the apps many of its largest and most trusted organizations are building for their customers are. What they found was extremely unsettling.

Mobile Security Survey Findings

In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind. What they are not doing, however, is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.

Among the more than 400 organizations studied — nearly 40 percent of which were Fortune 500 companies — almost 40 percent of them aren’t scanning the code in their apps for security vulnerabilities, leaving the door wide open to the potential hacking of sensitive user, corporate and customer data. The average organization tests fewer than half of the mobile apps it builds, and a whopping 33 percent of companies never test their apps.

While worrisome, this isn’t surprising, given the tremendous deficit in mobile security investments and attention. While each company spends an astounding average of $34 million annually on mobile app development, a full half of these companies do not devote any budget at all to mobile security. Take a minute to reflect on that finding. They devote less of their budget to security than you devote to purchasing a $0.99 emoticon package for your mobile phone.

Ongoing Pressure of ‘Rush to Release’

Yes, the pressure on mobile app development teams to rapidly build and deploy code is tremendous. For example, 65 percent of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 percent cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.

However, shouldn’t building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them? After all, retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies.

Our demand for new and better mobile apps — and the lack of attention being paid to their security — is unintentionally opening us up to cybersecurity hacks and data breaches and putting our sensitive and private information at risk.

As evidenced by a number of high-profile security breaches in recent months, cybercriminals are now turning to mobile as their attack vector of choice. Who could blame them? This lack of testing and budget, compounded with the pressure to rapidly deploy mobile apps, is further intensified by a dearth of security training and education.

Employee Education Must Accompany Technological Solutions

Today, the average developer has less than two years of experience. Seventy-three of the organizations studied cite a lack of understanding and training on secure coding practices, saying it’s a big reason why mobile apps contain vulnerable code. Despite the fact that all the organizations studied are currently building mobile apps, only 41 percent of them said their company had sufficient mobile security expertise.

There is no doubt that mobile apps will continue to evolve and become more ingrained into our daily lives. What cannot be overlooked, however, is the increasing security risks as cybercriminals become more sophisticated and aware of the numerous exploits opening up due to our lack of focus on mobile security. Technologies such as IBM MobileFirst Protect™ threat management and IBM Security AppScan Mobile Analyzer™ can help organizations combat the inherent risks around mobile security.

However, we should be building security into apps now, rather than reactively doing so after cybercriminals have had the time to fully exploit the vulnerabilities that exist today.

Research conducted by Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

More from Application Security

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…