A recent study by the Ponemon Institute and IBM shows that mobile app developers are not investing enough in mobile security. Small and large companies, including numerous Fortune 500 companies, spent an average of $34 million annually on mobile app development, of which only 5.5 percent was allocated to security. Moreover, nearly 40 percent don’t even test apps for security vulnerabilities. The result is major security flaws in the way businesses build and deploy mobile apps for their customers. This casts a long shadow over the security of the Internet of Things , especially when we stop and think about the number of devices connected through apps.

While the findings are alarming, they are not really surprising. At last year’s Mobile World Congress (MWC), many organizations seemed to be overwhelmed by the idea of making their mobile apps more secure. While it looks like things haven’t changed much since then, they actually have.

More apps are being created to control and connect devices; more devices of all shapes and sizes are being created to make our lives easier and more interesting; and more app developers and device manufacturers — established businesses and startups alike — are trying to push their mobile innovations to market. This can only be considered encouraging if we ignore the recent evidence that many of these innovations are vulnerable to cybercriminals.

Several studies and research findings over the past year or so have shown that in the rush to bring new technologies and devices to market, manufacturers often neglect the security aspect. Security researchers have proven that even home automation systems are vulnerable to cybercriminals, and the recently announced security patch in BMW’s ConnectedDrive software raised even more concerns about IoT security.

Thus, it is not only mobile app developers who overlook security, but also manufacturers of devices and even cars. So far, pretty much every new key technology — mobile or otherwise — seems to follow the same disconcerting pattern:

  • Manufacturers and developers start out with a limited budget. Because they need to gain user adoption quickly, they focus on ease of use, not security.
  • Security researchers start investigating the capabilities of these products, and almost invariably, they find security flaws.
  • The products or apps become popular. As user adoption increases, so does cybercriminals’ interest in exploiting these products.
  • Only at this point do companies start to patch security and pay more attention to it.

Emerging Mobility and IoT Security Trends Require a Change in Manufacturers’ Mindset

The IoT cannot be stopped, nor can we slow down mobility. In light of this reality, what can we do to make it more secure? We can try to advocate a new security mindset among the drivers of these IT trends.

From an original equipment manufacturer perspective, manufacturers must change the pattern detailed above by focusing on security from the product design stages. Where there is interconnection between products, manufacturers should work closely to ensure secure connectivity at every level. In so doing, not only will they ensure better protection for their users, but they will also be able to position their products as robust solutions to today’s needs, which include proper protection from emerging threats.

From an enterprise perspective, the imminent adoption of wearables by employees means an increased focus on bring-your-own-device policies, risk assessment and continuous education for employees. Additionally, businesses have to analyze, understand and accept the size and scope of security investments. This will help build an infrastructure ready to respond to real-time mobile threats posed by new mobility trends.

Manufacturers and app developers — and the parties employing their innovative technologies — have traditionally had a reactive security mindset to mobility and IoT trends. But it has become evident that this mindset must become proactive by making IoT security a top priority.

Read the Ponemon Study on the State of Mobile Application Insecurity

more from Application Security

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…