In today’s race to build the latest and greatest mobile applications, developers and companies building the apps are increasingly zeroing in on what attracts users to them. Is it their usability? Their gamification? Is it their aesthetic design, or their ability to provide users with yet another social platform to chat with friends and like-minded hobbyists?

While all of these aspects are important, there is one feature that is being severely overlooked, although its power to attract and retain users is enormous: mobile security.

Data Breaches Growing in Size and Scope

Data breaches are increasingly becoming one of the largest topics of concern for today’s consumer. In 2014, more than 1 billion personal data records were compromised by cyberattacks. Although we’ve done a fantastic job securing the computers and servers that have traditionally housed our sensitive information, we are neglecting to devote the same attention to our mobile apps — and cybercriminals are waking up to this opportunity.

The Ponemon Institute recently teamed up with IBM to look into just how secure the apps many of its largest and most trusted organizations are building for their customers are. What they found was extremely unsettling.

Mobile Security Survey Findings

In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind. What they are not doing, however, is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.

Among the more than 400 organizations studied — nearly 40 percent of which were Fortune 500 companies — almost 40 percent of them aren’t scanning the code in their apps for security vulnerabilities, leaving the door wide open to the potential hacking of sensitive user, corporate and customer data. The average organization tests fewer than half of the mobile apps it builds, and a whopping 33 percent of companies never test their apps.

While worrisome, this isn’t surprising, given the tremendous deficit in mobile security investments and attention. While each company spends an astounding average of $34 million annually on mobile app development, a full half of these companies do not devote any budget at all to mobile security. Take a minute to reflect on that finding. They devote less of their budget to security than you devote to purchasing a $0.99 emoticon package for your mobile phone.

Ongoing Pressure of ‘Rush to Release’

Yes, the pressure on mobile app development teams to rapidly build and deploy code is tremendous. For example, 65 percent of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 percent cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.

However, shouldn’t building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them? After all, retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies.

Our demand for new and better mobile apps — and the lack of attention being paid to their security — is unintentionally opening us up to cybersecurity hacks and data breaches and putting our sensitive and private information at risk.

As evidenced by a number of high-profile security breaches in recent months, cybercriminals are now turning to mobile as their attack vector of choice. Who could blame them? This lack of testing and budget, compounded with the pressure to rapidly deploy mobile apps, is further intensified by a dearth of security training and education.

Employee Education Must Accompany Technological Solutions

Today, the average developer has less than two years of experience. Seventy-three of the organizations studied cite a lack of understanding and training on secure coding practices, saying it’s a big reason why mobile apps contain vulnerable code. Despite the fact that all the organizations studied are currently building mobile apps, only 41 percent of them said their company had sufficient mobile security expertise.

There is no doubt that mobile apps will continue to evolve and become more ingrained into our daily lives. What cannot be overlooked, however, is the increasing security risks as cybercriminals become more sophisticated and aware of the numerous exploits opening up due to our lack of focus on mobile security. Technologies such as IBM MobileFirst Protect™ threat management and IBM Security AppScan Mobile Analyzer™ can help organizations combat the inherent risks around mobile security.

However, we should be building security into apps now, rather than reactively doing so after cybercriminals have had the time to fully exploit the vulnerabilities that exist today.

Research conducted by Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today