A lack of attention from developers and users to the security of mobile applications has troubling implications for those who would bring mobile devices into the workplace.
A recent survey of app users has troubling implications for mobile devices in the workplace: Developers and users are paying little attention to the security of the applications that populate so many privately owned devices.
It isn’t that users are not picky and demanding. They are. According to the study conducted for Apigee, an Application Programming Interface platform vendor, 96 percent of users surveyed said they would write a bad review for a poorly performing app, and almost half were willing to delete it if it failed to perform as expected. Thirty-eight percent said they would delete an app that froze up for more than 30 seconds, and 18 percent would give it just five seconds before deleting.
However, no respondents said they cared about what services or processes an application accessed or whether it contained vulnerabilities.
As with many company-sponsored studies, you might want to take the specific numbers in this one with a grain of salt. It was based on just 502 respondents. But the problem is real, says Ed Anuff, Apigee VP of developer platform.
It is the result of an “unrestrained need to extend your user base through whatever mechanism you have available,” which puts a premium on interfaces and image quality rather than security, he said. This focus on customers has made the uploading of contact lists a common feature in many apps, he explained.
Anuff hesitates to characterize this as malicious. It’s a gray area, he said, and it does threaten to open a Pandora’s Box. But, he added, “This is an industry that is still in its infancy and is growing up.”
The user base apparently is not any more mature. “One of the lessons learned in the industry is that a lot of consumers are willing to pay for free applications with their confidential information,” Anuff said. “They continually vote with their wallets for the free app.”
The result is a proliferation of applications for mobile devices that have not been vetted for security, and if not outright malicious might well be buggy. The issue is not being ignored. The National Institute of Standards and Technology has revised its guidance for securely managing mobile devices, but effective management is complicated by the lack of hardware-based protections in the devices because of size and power restrictions. So NIST is developing guidelines for building a more secure next generation of the devices.
In the meantime, in the absence of serious incentives for developers and users to clean up their acts (and apps), it is up to IT administrators to ensure that mobile devices used in the enterprise are secure, Anuff said.
“They are going to have to be agents of education and enforcement,” he said. “If it’s not them, it’s not going to be anyone else.”