March 31, 2015 By Emma Ban 3 min read

A recent study by the Ponemon Institute and IBM shows that mobile app developers are not investing enough in mobile security. Small and large companies, including numerous Fortune 500 companies, spent an average of $34 million annually on mobile app development, of which only 5.5 percent was allocated to security. Moreover, nearly 40 percent don’t even test apps for security vulnerabilities. The result is major security flaws in the way businesses build and deploy mobile apps for their customers. This casts a long shadow over the security of the Internet of Things , especially when we stop and think about the number of devices connected through apps.

While the findings are alarming, they are not really surprising. At last year’s Mobile World Congress (MWC), many organizations seemed to be overwhelmed by the idea of making their mobile apps more secure. While it looks like things haven’t changed much since then, they actually have.

More apps are being created to control and connect devices; more devices of all shapes and sizes are being created to make our lives easier and more interesting; and more app developers and device manufacturers — established businesses and startups alike — are trying to push their mobile innovations to market. This can only be considered encouraging if we ignore the recent evidence that many of these innovations are vulnerable to cybercriminals.

Several studies and research findings over the past year or so have shown that in the rush to bring new technologies and devices to market, manufacturers often neglect the security aspect. Security researchers have proven that even home automation systems are vulnerable to cybercriminals, and the recently announced security patch in BMW’s ConnectedDrive software raised even more concerns about IoT security.

Thus, it is not only mobile app developers who overlook security, but also manufacturers of devices and even cars. So far, pretty much every new key technology — mobile or otherwise — seems to follow the same disconcerting pattern:

  • Manufacturers and developers start out with a limited budget. Because they need to gain user adoption quickly, they focus on ease of use, not security.
  • Security researchers start investigating the capabilities of these products, and almost invariably, they find security flaws.
  • The products or apps become popular. As user adoption increases, so does cybercriminals’ interest in exploiting these products.
  • Only at this point do companies start to patch security and pay more attention to it.

Emerging Mobility and IoT Security Trends Require a Change in Manufacturers’ Mindset

The IoT cannot be stopped, nor can we slow down mobility. In light of this reality, what can we do to make it more secure? We can try to advocate a new security mindset among the drivers of these IT trends.

From an original equipment manufacturer perspective, manufacturers must change the pattern detailed above by focusing on security from the product design stages. Where there is interconnection between products, manufacturers should work closely to ensure secure connectivity at every level. In so doing, not only will they ensure better protection for their users, but they will also be able to position their products as robust solutions to today’s needs, which include proper protection from emerging threats.

From an enterprise perspective, the imminent adoption of wearables by employees means an increased focus on bring-your-own-device policies, risk assessment and continuous education for employees. Additionally, businesses have to analyze, understand and accept the size and scope of security investments. This will help build an infrastructure ready to respond to real-time mobile threats posed by new mobility trends.

Manufacturers and app developers — and the parties employing their innovative technologies — have traditionally had a reactive security mindset to mobility and IoT trends. But it has become evident that this mindset must become proactive by making IoT security a top priority.

Read the Ponemon Study on the State of Mobile Application Insecurity

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today