They are the best of apps, yet they are the worst of apps at the same time.
Mobile applications have unlocked a world of almost magical convenience, communication and creativity.
With a few swipes or taps on your smartphone you can buy food, clothes or just about any other product, pay your bills, chat with your friends, watch your far-away nieces, nephews or grandkids grow, monitor your exercise goals, take video and stills of your vacation, listen to your favorite podcasts or music and more. Ever so much more. You can even turn your smartphone into a flashlight or use it to tune your guitar.
But then, mobile applications can also unlock your personal, medical and financial information to hackers. They can make it possible for criminals to drain your bank account, eliminate your privacy—pretty much ruin your life.
And that is all, or at least mostly, because the large majority of mobile application developers spend their time and money hoping to dazzle their customers with bells and whistles, and not on protecting those customers. Their apps are feature rich and security poor.
It is no surprise that yet another research report from Positive Technologies, finds that they are a high-risk convenience where it studied 17 mobile apps and reported finding high-risk vulnerabilities in 43% of the Android apps and 38% of those for iOS.
Noted by Naked Security blog , “The news won’t come as much of a shock to anyone who has read GPEN’s 2014 study of app privacy failings; IOActive’s 2013 study of banking app security, nor its follow up in 2015 nor its investigation of stock trading app security in 2017; nor Arxan’s 2019 look at banking and finance app security.”
Why are mobile applications so insecure?
All of which raises the usual, fundamental questions: Why is insecurity so rampant on apps that are carried on billions of mobile devices? And what can be done about it?
Amit Sethi, senior principal consultant of Synopsys, noted that it is not just mobile applications that are riddled with vulnerabilities. “Most developers tend to focus on features, performance, usability, etc. because the requirements they are implementing tend to focus on those areas,” he said. “Also, there is always a rush to get features implemented, and security is often neglected.”
Phillip Dunkelberger, president and CEO of Nok Nok Labs and a founding member of the FIDO (Fast IDentity Online) Alliance, put the question to members of his team. “App developers often focus on the features that are most ‘relevant’ from a business perspective. Competing against convenience, usability and more, security sometimes does not make the top of the list,” responded by Phillip’s colleague.
Perverse incentives
Even with breaches and privacy violations in the headlines daily, the market incentives are still to get a feature-rich app into production as quickly as possible. If mobile application security is a casualty of that, the priority is not letting a competitor get to the market first.
The irony is that, good security doesn’t slow development down. It can actually speed it up.
It can look both time-consuming and expensive. Sethi notes that creating secure apps “requires performing different activities during different phases of the software development life cycle (SDLC), such as threat modeling, static analysis, dynamic analysis, etc.”
To that, developers should add software composition analysis (SCA), which helps developers find and fix any vulnerabilities or license problems with open source software components.
