September 22, 2014 By Douglas Bonderud 2 min read

The marks are in, and they’re not good: According to Naked Security, a new app study by the Global Privacy Enforcement Network (GPEN) found that just 15 percent of all apps get a passing grade when it comes to data handling and privacy. Data from Gartner, meanwhile, predicts that over 75 percent of mobile applications will fail basic business-level security tests through 2015. So how do companies make sure their apps aren’t flunking out?

New App Study: D- For Privacy

The GPEN study looked at over 1,200 apps and found more than a few problems. First, 85 percent of those tested didn’t provide “clear information on how the app gathers, uses and shares private data on the user, to the extent that the user could feel confident in their understanding of how it works.”

What’s more, 30 percent of apps didn’t provide any kind of privacy warning or information, and more than three-quarters asked for at least one permission, such as device location or identification data.

A full 10 percent wanted access to the device’s camera, and almost as many tried to gain access to contact lists. Part of the problem is user expectation. “Free” apps come complete with the idea that they’ll try to access some private information or make money through in-app advertising. As regulations for the paid-for app market increase, more free applications arrive to fill the gaps, making it harder for companies to separate “functional” from “fraudulent.”

More Work Needed

According to Gartner, 90 percent of enterprises already use third-party commercial applications for their mobile bring-your-own-device (BYOD) strategy, and “app stores are filled with applications that mostly prove their advertised usefulness.” The problem? Three-quarters of these apps also fail basic security tests, leading to the prediction that, by 2017, the bulk of endpoint breaches will target smartphones and tablets.

Consider the recent Android Browser app breach, as reported by IGN. A flaw allowed the injection of malignant JavaScript code into the browser itself, letting hackers steal passwords and other information — and this is just the beginning.

To combat these types of mobile app issues, Gartner says more work is needed in areas such as static and dynamic application security testing as well as behavioral analysis tools that look for suspicious background actions when apps are running. For example, tests might monitor a file-sharing application that is trying to access device identification data and send it to an unknown IP address.

A Better Report Card

So how can apps score higher on privacy and security report cards? In large part, change must come from companies and users. As it stands, free apps multiply at a ferocious rate because they are consumed just as quickly. In many cases, employees are willing to risk “slight” privacy violations in exchange for ease of use.

Companies are encouraged to have a zero-tolerance policy when it comes to both free and paid apps. Unless permissions directly relate to an app’s function, they must be rejected. Opting for paid apps can help minimize risk, but only if businesses commit to vetting and scanning these apps just as rigorously as if they were created in-house. Simply put, anything that looks like a security issue is a security issue and must be treated as such.

Gartner’s data and the new app study make it clear that applications get a failing grade when it comes to user privacy and security. It’s a massive market, however, which means that any real change must come from within as users work to not let security failures impact performance by association.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today