By Patrick Marshall

Blog archive
Free apps

Security gets short shrift in mobile apps


A recent survey of app users has troubling implications for mobile devices in the workplace: Developers and users are paying little attention to the security of the applications that populate so many privately owned devices.

It isn’t that users are not picky and demanding. They are. According to the study conducted for Apigee, an Application Programming Interface platform vendor, 96 percent of users surveyed said they would write a bad review for a poorly performing app, and almost half were willing to delete it if it failed to perform as expected. Thirty-eight percent said they would delete an app that froze up for more than 30 seconds, and 18 percent would give it just five seconds before deleting.

However, no respondents said they cared about what services or processes an application accessed or whether it contained vulnerabilities.

As with many company-sponsored studies, you might want to take the specific numbers in this one with a grain of salt. It was based on just 502 respondents. But the problem is real, says Ed Anuff, Apigee VP of developer platform.

It is the result of an “unrestrained need to extend your user base through whatever mechanism you have available,” which puts a premium on interfaces and image quality rather than security, he said. This focus on customers has made the uploading of contact lists a common feature in many apps, he explained.

Anuff hesitates to characterize this as malicious. It’s a gray area, he said, and it does threaten to open a Pandora’s Box. But, he added, “This is an industry that is still in its infancy and is growing up.”

The user base apparently is not any more mature. “One of the lessons learned in the industry is that a lot of consumers are willing to pay for free applications with their confidential information,” Anuff said. “They continually vote with their wallets for the free app.”

The result is a proliferation of applications for mobile devices that have not been vetted for security, and if not outright malicious might well be buggy. The issue is not being ignored. The National Institute of Standards and Technology has revised its guidance for securely managing mobile devices,  but effective management is complicated by the lack of hardware-based protections in the devices because of size and power restrictions. So NIST is developing guidelines for building a more secure next generation of the devices.

In the meantime, in the absence of serious incentives for developers and users to clean up their acts (and apps), it is up to IT administrators to ensure that mobile devices used in the enterprise are secure, Anuff said.

“They are going to have to be agents of education and enforcement,” he said. “If it’s not them, it’s not going to be anyone else.”

Posted by William Jackson on Nov 09, 2012 at 9:39 AM


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.