CyberEye

Blog archive
Free apps

Security gets short shrift in mobile apps

 

A recent survey of app users has troubling implications for mobile devices in the workplace: Developers and users are paying little attention to the security of the applications that populate so many privately owned devices.

It isn’t that users are not picky and demanding. They are. According to the study conducted for Apigee, an Application Programming Interface platform vendor, 96 percent of users surveyed said they would write a bad review for a poorly performing app, and almost half were willing to delete it if it failed to perform as expected. Thirty-eight percent said they would delete an app that froze up for more than 30 seconds, and 18 percent would give it just five seconds before deleting.

However, no respondents said they cared about what services or processes an application accessed or whether it contained vulnerabilities.

As with many company-sponsored studies, you might want to take the specific numbers in this one with a grain of salt. It was based on just 502 respondents. But the problem is real, says Ed Anuff, Apigee VP of developer platform.

It is the result of an “unrestrained need to extend your user base through whatever mechanism you have available,” which puts a premium on interfaces and image quality rather than security, he said. This focus on customers has made the uploading of contact lists a common feature in many apps, he explained.

Anuff hesitates to characterize this as malicious. It’s a gray area, he said, and it does threaten to open a Pandora’s Box. But, he added, “This is an industry that is still in its infancy and is growing up.”

The user base apparently is not any more mature. “One of the lessons learned in the industry is that a lot of consumers are willing to pay for free applications with their confidential information,” Anuff said. “They continually vote with their wallets for the free app.”

The result is a proliferation of applications for mobile devices that have not been vetted for security, and if not outright malicious might well be buggy. The issue is not being ignored. The National Institute of Standards and Technology has revised its guidance for securely managing mobile devices,  but effective management is complicated by the lack of hardware-based protections in the devices because of size and power restrictions. So NIST is developing guidelines for building a more secure next generation of the devices.

In the meantime, in the absence of serious incentives for developers and users to clean up their acts (and apps), it is up to IT administrators to ensure that mobile devices used in the enterprise are secure, Anuff said.

“They are going to have to be agents of education and enforcement,” he said. “If it’s not them, it’s not going to be anyone else.”

Posted by William Jackson on Nov 09, 2012 at 9:39 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.