Mobile security

Has the Mobile Security Industry Got It All Wrong?

Andrew Hoog | Security First, Blog

Let me ask you something: How many apps do you have on your phone right now? Not sure? That’s ok, most people don’t know. And, while you may not be positive what the exact number is, you probably won’t be surprised to learn that the majority of people have dozens if not hundreds of apps on their phone. Sure, maybe they don’t use all of them on a regular basis, but they certainly use some of them all the time.

The fact is that there are literally millions of apps to choose from. As of June, Apple’s App Store had 2 million of them alone, while Google Play had even more, with 2.2 million options for you to choose from. The question that you need to be thinking about, however, isn’t whether you’ve got all the latest apps. It’s whether or not all of the apps you’re using are actually secure. And, I hate to break it to you, but the truth is that they may not be.

I know because my company recently analyzed 400,000 different mobile apps. While that’s admittedly a relatively small percentage of the 4.2 million apps I noted above, it’s still a pretty large sample size overall from which to draw some conclusions.

What we found is that more than a quarter of the apps we analyzed had at least one high-risk security or privacy flaw. Translate that to your own device and it means that every forth app on your phone or tablet could potentially be putting you at risk. Mobile security is a serious problem, and one that should be pretty unsettling to consumers and enterprises alike.

Want to hear another shocker? How about the fact that 35 percent of today’s devices are sending unencrypted data. How’s that for an eye-opener?

How’d We Wind up Here?

The mobile security industry is a huge, multi-billion-dollar business. The problem is that the industry has spent vast amounts of money applying the concepts that work for PCs to mobile devices. Unfortunately, that was a mistake. I mean the last time I checked, mobile devices were altogether different from PCs.

After all, mobile devices were architected for consumers from day one, they don’t allow the enterprise to get administrative rights, and by definition they defy firewalls and boundaries. Plus, thanks to the advent of app stores, the way you install software on a mobile device is completely different to how, until relatively recently, enterprises managed installations on PCs.

Suffice it to say that applying PC technology to mobile devices just doesn’t work.

Mobile Security Risks Abound

When it comes to mobile security, there are four different areas that drive risk: the operating system you’re using, how your device is configured, the network you’re using, and your apps.

Trust me, I could wax poetically about each of these areas. You know, like how people make the mistake of accessing the Internet over insecure wifi connections, for example. Or how they don’t bother to use secure passwords, or any passwords at all in many cases. And then there are the folks who don’t bother to update their mobile operating system to the latest version. The reality is that it’s the combination of these and other factors that put peoples’ personal data at risk when they use mobile devices.

For the purposes of this article, however, let me limit my focus to the single biggest attack surface on your mobile device: your apps.

The Problem with Apps and What it Means for Your Business

The thing about apps is that you don’t always know who built them or where they might be sending your data. Plus, even if an app is built with the best of intentions, if you got it from a third-party store, it’s always possible that malware might have snuck in.

And, while you can rest reasonably assured that any apps you’re getting from Google or Apple won’t be malicious, don’t assume that means they can’t potentially compromise your security. After all, those companies make money by selling you apps. That means that they want to make as many apps available to you as possible, and as such aren’t particularly well incentivized to find any flaws that could be hiding in them.

If you’re an individual, you need to ensure your mobile security by taking care to only use apps that you trust and that you’ve downloaded from reputable providers. If you’re an enterprise, on the other hand, your responsibilities extend considerably further.

That’s because if you’re creating apps then you need to take extra care to ensure that they’re secure. And if you’re using apps, you need to be completely confident that they don’t have any security flaws. Get it wrong and your brand reputation could quickly be put at risk at great cost to your bottom line.

How Enterprises Can Get Apps Right

The biggest mistake that I see companies make when it comes to creating apps is that they wait to the very last minute — just before they’re about to go live — to start testing them. Trust me, you’ve got to test your mobile apps early and often, and integrate them into your software development lifecycle.

Another thing that companies can do is embrace their security flaws rather than shy away from them. Over the years we have found and disclosed hundreds of flaws, and the vast majority of companies either ignore us or become confrontational. The fact is that these flaws will eventually bite those companies in the rear end and they’d be wise to take action now.

The Bottom Line

Developers test continuously for quality and usability. It’s time to apply that same approach to security testing. Automated testing on real devices is now possible, with near real-time results, which means you can test with every build cycle. So be proactive about designing out security issues before you have to fix them. (By the way, take a look at the OWASP Top Ten Project for a list of the top ten security flaws that developers can check for.)

You can’t prevent users from making bad decisions about the strength of their passwords or using open public wifi networks. But, enterprises and users can score device risk according to system configuration and update status, networks, and the apps they have installed. In fact, the NowSecure Protect app provides instant scoring for risk, which you can download from either the Google Play Store or iTunes App Store. Checking it out could save you a lot of headaches down the road in terms of your mobile security.