September 22, 2014 By Douglas Bonderud 2 min read

The marks are in, and they’re not good: According to Naked Security, a new app study by the Global Privacy Enforcement Network (GPEN) found that just 15 percent of all apps get a passing grade when it comes to data handling and privacy. Data from Gartner, meanwhile, predicts that over 75 percent of mobile applications will fail basic business-level security tests through 2015. So how do companies make sure their apps aren’t flunking out?

New App Study: D- For Privacy

The GPEN study looked at over 1,200 apps and found more than a few problems. First, 85 percent of those tested didn’t provide “clear information on how the app gathers, uses and shares private data on the user, to the extent that the user could feel confident in their understanding of how it works.”

What’s more, 30 percent of apps didn’t provide any kind of privacy warning or information, and more than three-quarters asked for at least one permission, such as device location or identification data.

A full 10 percent wanted access to the device’s camera, and almost as many tried to gain access to contact lists. Part of the problem is user expectation. “Free” apps come complete with the idea that they’ll try to access some private information or make money through in-app advertising. As regulations for the paid-for app market increase, more free applications arrive to fill the gaps, making it harder for companies to separate “functional” from “fraudulent.”

More Work Needed

According to Gartner, 90 percent of enterprises already use third-party commercial applications for their mobile bring-your-own-device (BYOD) strategy, and “app stores are filled with applications that mostly prove their advertised usefulness.” The problem? Three-quarters of these apps also fail basic security tests, leading to the prediction that, by 2017, the bulk of endpoint breaches will target smartphones and tablets.

Consider the recent Android Browser app breach, as reported by IGN. A flaw allowed the injection of malignant JavaScript code into the browser itself, letting hackers steal passwords and other information — and this is just the beginning.

To combat these types of mobile app issues, Gartner says more work is needed in areas such as static and dynamic application security testing as well as behavioral analysis tools that look for suspicious background actions when apps are running. For example, tests might monitor a file-sharing application that is trying to access device identification data and send it to an unknown IP address.

A Better Report Card

So how can apps score higher on privacy and security report cards? In large part, change must come from companies and users. As it stands, free apps multiply at a ferocious rate because they are consumed just as quickly. In many cases, employees are willing to risk “slight” privacy violations in exchange for ease of use.

Companies are encouraged to have a zero-tolerance policy when it comes to both free and paid apps. Unless permissions directly relate to an app’s function, they must be rejected. Opting for paid apps can help minimize risk, but only if businesses commit to vetting and scanning these apps just as rigorously as if they were created in-house. Simply put, anything that looks like a security issue is a security issue and must be treated as such.

Gartner’s data and the new app study make it clear that applications get a failing grade when it comes to user privacy and security. It’s a massive market, however, which means that any real change must come from within as users work to not let security failures impact performance by association.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today