CyberEye

Blog archive
Free apps

Security gets short shrift in mobile apps

 

A recent survey of app users has troubling implications for mobile devices in the workplace: Developers and users are paying little attention to the security of the applications that populate so many privately owned devices.

It isn’t that users are not picky and demanding. They are. According to the study conducted for Apigee, an Application Programming Interface platform vendor, 96 percent of users surveyed said they would write a bad review for a poorly performing app, and almost half were willing to delete it if it failed to perform as expected. Thirty-eight percent said they would delete an app that froze up for more than 30 seconds, and 18 percent would give it just five seconds before deleting.

However, no respondents said they cared about what services or processes an application accessed or whether it contained vulnerabilities.

As with many company-sponsored studies, you might want to take the specific numbers in this one with a grain of salt. It was based on just 502 respondents. But the problem is real, says Ed Anuff, Apigee VP of developer platform.

It is the result of an “unrestrained need to extend your user base through whatever mechanism you have available,” which puts a premium on interfaces and image quality rather than security, he said. This focus on customers has made the uploading of contact lists a common feature in many apps, he explained.

Anuff hesitates to characterize this as malicious. It’s a gray area, he said, and it does threaten to open a Pandora’s Box. But, he added, “This is an industry that is still in its infancy and is growing up.”

The user base apparently is not any more mature. “One of the lessons learned in the industry is that a lot of consumers are willing to pay for free applications with their confidential information,” Anuff said. “They continually vote with their wallets for the free app.”

The result is a proliferation of applications for mobile devices that have not been vetted for security, and if not outright malicious might well be buggy. The issue is not being ignored. The National Institute of Standards and Technology has revised its guidance for securely managing mobile devices,  but effective management is complicated by the lack of hardware-based protections in the devices because of size and power restrictions. So NIST is developing guidelines for building a more secure next generation of the devices.

In the meantime, in the absence of serious incentives for developers and users to clean up their acts (and apps), it is up to IT administrators to ensure that mobile devices used in the enterprise are secure, Anuff said.

“They are going to have to be agents of education and enforcement,” he said. “If it’s not them, it’s not going to be anyone else.”

Posted by William Jackson on Nov 09, 2012 at 9:39 AM


Reader Comments

Sat, Nov 10, 2012 Michael Tillman Dallas, Texas

Not to diminish the weight of these concerns (because they are very real and very dangerous), but I think if a concern is to be expressed, a positive counterpoint should also be made. And while the spread of mobile malware is getting out of hand )especially in the Android realm), proactive steps are being taken to stop this trend. And I think it will be contained before it gets out of hand. Just this week, Airpush - which is still the second biggest Android ad network in the world - partnered with Appthority specifically for this reason, to prevent the problems talked about above. So there's good news out there too :) http://www.dailydealmedia.com/789why-mobile-app-security-needs-to-be-a-higher-priority-for-mobile-ad-networks/

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities