A recent study by the Ponemon Institute and IBM shows that mobile app developers are not investing enough in mobile security. Small and large companies, including numerous Fortune 500 companies, spent an average of $34 million annually on mobile app development, of which only 5.5 percent was allocated to security. Moreover, nearly 40 percent don’t even test apps for security vulnerabilities. The result is major security flaws in the way businesses build and deploy mobile apps for their customers. This casts a long shadow over the security of the Internet of Things , especially when we stop and think about the number of devices connected through apps.

While the findings are alarming, they are not really surprising. At last year’s Mobile World Congress (MWC), many organizations seemed to be overwhelmed by the idea of making their mobile apps more secure. While it looks like things haven’t changed much since then, they actually have.

More apps are being created to control and connect devices; more devices of all shapes and sizes are being created to make our lives easier and more interesting; and more app developers and device manufacturers — established businesses and startups alike — are trying to push their mobile innovations to market. This can only be considered encouraging if we ignore the recent evidence that many of these innovations are vulnerable to cybercriminals.

Several studies and research findings over the past year or so have shown that in the rush to bring new technologies and devices to market, manufacturers often neglect the security aspect. Security researchers have proven that even home automation systems are vulnerable to cybercriminals, and the recently announced security patch in BMW’s ConnectedDrive software raised even more concerns about IoT security.

Thus, it is not only mobile app developers who overlook security, but also manufacturers of devices and even cars. So far, pretty much every new key technology — mobile or otherwise — seems to follow the same disconcerting pattern:

  • Manufacturers and developers start out with a limited budget. Because they need to gain user adoption quickly, they focus on ease of use, not security.
  • Security researchers start investigating the capabilities of these products, and almost invariably, they find security flaws.
  • The products or apps become popular. As user adoption increases, so does cybercriminals’ interest in exploiting these products.
  • Only at this point do companies start to patch security and pay more attention to it.

Emerging Mobility and IoT Security Trends Require a Change in Manufacturers’ Mindset

The IoT cannot be stopped, nor can we slow down mobility. In light of this reality, what can we do to make it more secure? We can try to advocate a new security mindset among the drivers of these IT trends.

From an original equipment manufacturer perspective, manufacturers must change the pattern detailed above by focusing on security from the product design stages. Where there is interconnection between products, manufacturers should work closely to ensure secure connectivity at every level. In so doing, not only will they ensure better protection for their users, but they will also be able to position their products as robust solutions to today’s needs, which include proper protection from emerging threats.

From an enterprise perspective, the imminent adoption of wearables by employees means an increased focus on bring-your-own-device policies, risk assessment and continuous education for employees. Additionally, businesses have to analyze, understand and accept the size and scope of security investments. This will help build an infrastructure ready to respond to real-time mobile threats posed by new mobility trends.

Manufacturers and app developers — and the parties employing their innovative technologies — have traditionally had a reactive security mindset to mobility and IoT trends. But it has become evident that this mindset must become proactive by making IoT security a top priority.

Read the Ponemon Study on the State of Mobile Application Insecurity

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read