September 22, 2014 By Douglas Bonderud 2 min read

The marks are in, and they’re not good: According to Naked Security, a new app study by the Global Privacy Enforcement Network (GPEN) found that just 15 percent of all apps get a passing grade when it comes to data handling and privacy. Data from Gartner, meanwhile, predicts that over 75 percent of mobile applications will fail basic business-level security tests through 2015. So how do companies make sure their apps aren’t flunking out?

New App Study: D- For Privacy

The GPEN study looked at over 1,200 apps and found more than a few problems. First, 85 percent of those tested didn’t provide “clear information on how the app gathers, uses and shares private data on the user, to the extent that the user could feel confident in their understanding of how it works.”

What’s more, 30 percent of apps didn’t provide any kind of privacy warning or information, and more than three-quarters asked for at least one permission, such as device location or identification data.

A full 10 percent wanted access to the device’s camera, and almost as many tried to gain access to contact lists. Part of the problem is user expectation. “Free” apps come complete with the idea that they’ll try to access some private information or make money through in-app advertising. As regulations for the paid-for app market increase, more free applications arrive to fill the gaps, making it harder for companies to separate “functional” from “fraudulent.”

More Work Needed

According to Gartner, 90 percent of enterprises already use third-party commercial applications for their mobile bring-your-own-device (BYOD) strategy, and “app stores are filled with applications that mostly prove their advertised usefulness.” The problem? Three-quarters of these apps also fail basic security tests, leading to the prediction that, by 2017, the bulk of endpoint breaches will target smartphones and tablets.

Consider the recent Android Browser app breach, as reported by IGN. A flaw allowed the injection of malignant JavaScript code into the browser itself, letting hackers steal passwords and other information — and this is just the beginning.

To combat these types of mobile app issues, Gartner says more work is needed in areas such as static and dynamic application security testing as well as behavioral analysis tools that look for suspicious background actions when apps are running. For example, tests might monitor a file-sharing application that is trying to access device identification data and send it to an unknown IP address.

A Better Report Card

So how can apps score higher on privacy and security report cards? In large part, change must come from companies and users. As it stands, free apps multiply at a ferocious rate because they are consumed just as quickly. In many cases, employees are willing to risk “slight” privacy violations in exchange for ease of use.

Companies are encouraged to have a zero-tolerance policy when it comes to both free and paid apps. Unless permissions directly relate to an app’s function, they must be rejected. Opting for paid apps can help minimize risk, but only if businesses commit to vetting and scanning these apps just as rigorously as if they were created in-house. Simply put, anything that looks like a security issue is a security issue and must be treated as such.

Gartner’s data and the new app study make it clear that applications get a failing grade when it comes to user privacy and security. It’s a massive market, however, which means that any real change must come from within as users work to not let security failures impact performance by association.

More from

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today