IBM Security and the Ponemon Institute conducted research recently, unveiling an alarming state of mobile insecurity. The findings show nearly 40% of large companies, including many in the Fortune 500, aren’t taking the right precautions to secure the mobile apps they build for customers. The study also found organizations are poorly protecting their corporate and BYOD mobile devices against cyber-attacks – opening the door for hackers to easily access user, corporate and customer data.
The number of mobile cyber-security attacks is continuing to grow. At any given time, malicious code is infecting more than 11.6 million mobile devices. The Ponemon Institute and IBM Security study, which researched security practices in over 400 large organizations, found that the average company tests less than half of the mobile apps they build. Also, 33% of companies never test their apps – creating a plethora of entry points to tap into business data via unsecured devices. ]
According to Caleb Barlow, Vice President of Mobile Management and Security at IBM
Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data. Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks. Hackers are now taking advantage of the popularity of insecure mobile apps.
The Ponemon Institute Unveils an Alarming State of Mobile Insecurity
During the creation of mobile apps, end user convenience is trumping end user security and privacy. According to the study, 65% of organizations state the security of their apps is often put at risk because of customer demand or need, and 77% cite “rush to release” pressures as a primary reason why mobile apps contain vulnerable code.
As BYOD Rises, Mobile Risks Increase
BYOD has become increasingly popular, if not a necessity, for organizations. The challenge arises when employees connect to unsecured networks or download insecure apps from untrusted sources, which leave the device vulnerable to malware.
According to the Ponemon study, though most employees are “heavy users of apps,” over half (55%) state their organization does not have a policy which defines the acceptable use of mobile apps in the workplace, and a large majority – 67% – of companies allow employees to download non-vetted apps to their work devices. Additionally, 55% of organizations say employees are permitted to use and download business apps on their personal devices (BYOD).
As I’ve reported previously, the vast majority of apps use a WebView to display web pages so end-users don’t need to close the app in order to open web pages inside the native browser. The WebView is about as insecure as it gets, exposing end-users to phishing attacks that lead to the installation of malicious apps in the background – leading to the spread of malware, spyware and ransomware.
Here’s a post I wrote entitled “How WebView has weakened the TCB of the Web infrastructure“. It explains in great detail, how easy it is to hack apps with a WebView using a few lines of code.
At MetaCert we make it very easy for developers to add a layer of security to apps. I needs to be easy and low-cost or developers won’t do it.