September 22, 2014 By Douglas Bonderud 2 min read

The marks are in, and they’re not good: According to Naked Security, a new app study by the Global Privacy Enforcement Network (GPEN) found that just 15 percent of all apps get a passing grade when it comes to data handling and privacy. Data from Gartner, meanwhile, predicts that over 75 percent of mobile applications will fail basic business-level security tests through 2015. So how do companies make sure their apps aren’t flunking out?

New App Study: D- For Privacy

The GPEN study looked at over 1,200 apps and found more than a few problems. First, 85 percent of those tested didn’t provide “clear information on how the app gathers, uses and shares private data on the user, to the extent that the user could feel confident in their understanding of how it works.”

What’s more, 30 percent of apps didn’t provide any kind of privacy warning or information, and more than three-quarters asked for at least one permission, such as device location or identification data.

A full 10 percent wanted access to the device’s camera, and almost as many tried to gain access to contact lists. Part of the problem is user expectation. “Free” apps come complete with the idea that they’ll try to access some private information or make money through in-app advertising. As regulations for the paid-for app market increase, more free applications arrive to fill the gaps, making it harder for companies to separate “functional” from “fraudulent.”

More Work Needed

According to Gartner, 90 percent of enterprises already use third-party commercial applications for their mobile bring-your-own-device (BYOD) strategy, and “app stores are filled with applications that mostly prove their advertised usefulness.” The problem? Three-quarters of these apps also fail basic security tests, leading to the prediction that, by 2017, the bulk of endpoint breaches will target smartphones and tablets.

Consider the recent Android Browser app breach, as reported by IGN. A flaw allowed the injection of malignant JavaScript code into the browser itself, letting hackers steal passwords and other information — and this is just the beginning.

To combat these types of mobile app issues, Gartner says more work is needed in areas such as static and dynamic application security testing as well as behavioral analysis tools that look for suspicious background actions when apps are running. For example, tests might monitor a file-sharing application that is trying to access device identification data and send it to an unknown IP address.

A Better Report Card

So how can apps score higher on privacy and security report cards? In large part, change must come from companies and users. As it stands, free apps multiply at a ferocious rate because they are consumed just as quickly. In many cases, employees are willing to risk “slight” privacy violations in exchange for ease of use.

Companies are encouraged to have a zero-tolerance policy when it comes to both free and paid apps. Unless permissions directly relate to an app’s function, they must be rejected. Opting for paid apps can help minimize risk, but only if businesses commit to vetting and scanning these apps just as rigorously as if they were created in-house. Simply put, anything that looks like a security issue is a security issue and must be treated as such.

Gartner’s data and the new app study make it clear that applications get a failing grade when it comes to user privacy and security. It’s a massive market, however, which means that any real change must come from within as users work to not let security failures impact performance by association.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today