March 31, 2015 By Emma Ban 3 min read

A recent study by the Ponemon Institute and IBM shows that mobile app developers are not investing enough in mobile security. Small and large companies, including numerous Fortune 500 companies, spent an average of $34 million annually on mobile app development, of which only 5.5 percent was allocated to security. Moreover, nearly 40 percent don’t even test apps for security vulnerabilities. The result is major security flaws in the way businesses build and deploy mobile apps for their customers. This casts a long shadow over the security of the Internet of Things , especially when we stop and think about the number of devices connected through apps.

While the findings are alarming, they are not really surprising. At last year’s Mobile World Congress (MWC), many organizations seemed to be overwhelmed by the idea of making their mobile apps more secure. While it looks like things haven’t changed much since then, they actually have.

More apps are being created to control and connect devices; more devices of all shapes and sizes are being created to make our lives easier and more interesting; and more app developers and device manufacturers — established businesses and startups alike — are trying to push their mobile innovations to market. This can only be considered encouraging if we ignore the recent evidence that many of these innovations are vulnerable to cybercriminals.

Several studies and research findings over the past year or so have shown that in the rush to bring new technologies and devices to market, manufacturers often neglect the security aspect. Security researchers have proven that even home automation systems are vulnerable to cybercriminals, and the recently announced security patch in BMW’s ConnectedDrive software raised even more concerns about IoT security.

Thus, it is not only mobile app developers who overlook security, but also manufacturers of devices and even cars. So far, pretty much every new key technology — mobile or otherwise — seems to follow the same disconcerting pattern:

  • Manufacturers and developers start out with a limited budget. Because they need to gain user adoption quickly, they focus on ease of use, not security.
  • Security researchers start investigating the capabilities of these products, and almost invariably, they find security flaws.
  • The products or apps become popular. As user adoption increases, so does cybercriminals’ interest in exploiting these products.
  • Only at this point do companies start to patch security and pay more attention to it.

Emerging Mobility and IoT Security Trends Require a Change in Manufacturers’ Mindset

The IoT cannot be stopped, nor can we slow down mobility. In light of this reality, what can we do to make it more secure? We can try to advocate a new security mindset among the drivers of these IT trends.

From an original equipment manufacturer perspective, manufacturers must change the pattern detailed above by focusing on security from the product design stages. Where there is interconnection between products, manufacturers should work closely to ensure secure connectivity at every level. In so doing, not only will they ensure better protection for their users, but they will also be able to position their products as robust solutions to today’s needs, which include proper protection from emerging threats.

From an enterprise perspective, the imminent adoption of wearables by employees means an increased focus on bring-your-own-device policies, risk assessment and continuous education for employees. Additionally, businesses have to analyze, understand and accept the size and scope of security investments. This will help build an infrastructure ready to respond to real-time mobile threats posed by new mobility trends.

Manufacturers and app developers — and the parties employing their innovative technologies — have traditionally had a reactive security mindset to mobility and IoT trends. But it has become evident that this mindset must become proactive by making IoT security a top priority.

Read the Ponemon Study on the State of Mobile Application Insecurity

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today