In today’s race to build the latest and greatest mobile applications, developers and companies building the apps are increasingly zeroing in on what attracts users to them. Is it their usability? Their gamification? Is it their aesthetic design, or their ability to provide users with yet another social platform to chat with friends and like-minded hobbyists?

While all of these aspects are important, there is one feature that is being severely overlooked, although its power to attract and retain users is enormous: mobile security.

Data Breaches Growing in Size and Scope

Data breaches are increasingly becoming one of the largest topics of concern for today’s consumer. In 2014, more than 1 billion personal data records were compromised by cyberattacks. Although we’ve done a fantastic job securing the computers and servers that have traditionally housed our sensitive information, we are neglecting to devote the same attention to our mobile apps — and cybercriminals are waking up to this opportunity.

The Ponemon Institute recently teamed up with IBM to look into just how secure the apps many of its largest and most trusted organizations are building for their customers are. What they found was extremely unsettling.

Mobile Security Survey Findings

In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind. What they are not doing, however, is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.

Among the more than 400 organizations studied — nearly 40 percent of which were Fortune 500 companies — almost 40 percent of them aren’t scanning the code in their apps for security vulnerabilities, leaving the door wide open to the potential hacking of sensitive user, corporate and customer data. The average organization tests fewer than half of the mobile apps it builds, and a whopping 33 percent of companies never test their apps.

While worrisome, this isn’t surprising, given the tremendous deficit in mobile security investments and attention. While each company spends an astounding average of $34 million annually on mobile app development, a full half of these companies do not devote any budget at all to mobile security. Take a minute to reflect on that finding. They devote less of their budget to security than you devote to purchasing a $0.99 emoticon package for your mobile phone.

Ongoing Pressure of ‘Rush to Release’

Yes, the pressure on mobile app development teams to rapidly build and deploy code is tremendous. For example, 65 percent of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 percent cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.

However, shouldn’t building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them? After all, retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies.

Our demand for new and better mobile apps — and the lack of attention being paid to their security — is unintentionally opening us up to cybersecurity hacks and data breaches and putting our sensitive and private information at risk.

As evidenced by a number of high-profile security breaches in recent months, cybercriminals are now turning to mobile as their attack vector of choice. Who could blame them? This lack of testing and budget, compounded with the pressure to rapidly deploy mobile apps, is further intensified by a dearth of security training and education.

Employee Education Must Accompany Technological Solutions

Today, the average developer has less than two years of experience. Seventy-three of the organizations studied cite a lack of understanding and training on secure coding practices, saying it’s a big reason why mobile apps contain vulnerable code. Despite the fact that all the organizations studied are currently building mobile apps, only 41 percent of them said their company had sufficient mobile security expertise.

There is no doubt that mobile apps will continue to evolve and become more ingrained into our daily lives. What cannot be overlooked, however, is the increasing security risks as cybercriminals become more sophisticated and aware of the numerous exploits opening up due to our lack of focus on mobile security. Technologies such as IBM MobileFirst Protect™ threat management and IBM Security AppScan Mobile Analyzer™ can help organizations combat the inherent risks around mobile security.

However, we should be building security into apps now, rather than reactively doing so after cybercriminals have had the time to fully exploit the vulnerabilities that exist today.

Research conducted by Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today