In 2014, mobile app security will be hard to peg down, because the rush to get new mobile apps will foment rapid development and release. Expect to see security problems as developers yield to the temptation to focus on features and neglect security, said Andrew Kellett, principal analyst, Ovum Research. Another research firm, Gartner Inc., predicts two-thirds of mobile applications will fail basic security tests between now and 2015.
Keeping mobile apps and the data therein secure will require constant up-front work in development, as well as constant vigilance of software technology and mobile device trends. In particular, watch trends in user authentication, biometrics, voice, fingerprint access and usage patterns, said Kellett. In this article, he and mobile security experts Domingo Guerra and John Overbaugh examine mobile app trends and usage that spell trouble.
Developers who rely on third parties to manage login credentials should pay special attention to the massive security breach and mobile app trends, some industry insiders say. Hackers who obtain login credentials for websites like Facebook and Twitter can potentially gain access to users' applications, according to Guerra, president and co-founder of Appthority, a company specializing in application risk management.
"Because of the growth in social media SSO [single sign-on] in the app ecosystem, an estimated 60% or more of the top apps leverage social media SSO and let their users log into the app with other accounts such as Facebook and Twitter," Guerra said. "Most of the use of social networking SSO is actually to facilitate social interaction, but by having the user log into an app with a Facebook account, the developer also gains instant access to some of the user's Facebook information."
Mitigating mobile security risks
Secure coding techniques have emerged over the years, Kellett noted, that have been effective and need to be applied to the mobile environment. "Quite a lot of folks are still at the stage where they are developing apps from the home office or the garage environment," he said. "There isn't anyone looking over their shoulder to make sure their techniques are up to standard and appropriate."
It is almost as easy to write secure code as it is to write insecure code -- you just need some education.
Caliber Security Partners
Reducing security risks in the development phase boils down to education and applying basic security controls, bringing in qualified help and using a qualified penetration tester, according to Overbaugh, managing director, Caliber Security Partners. "It is almost as easy to write secure code as it is to write insecure code -- you just need some education," he said.
While following such actions cannot completely eliminate any chance of a security breach, they will make it more difficult for unauthorized parties to wreak havoc on an application. "Right now there are so many mobile applications out there with gaping holes that if people try to find the top five or 10 mobile security weaknesses and don't find them in your application, they are very likely to move on unless you are a target of choice, rather than a target of opportunity," Overbaugh said.
While somewhat annoying for consumers, having authorization tokens expire at a higher frequency can also reduce the likelihood of credentials becoming compromised, according to Guerra. Another helpful, yet often overlooked step developers can take is to use HTTPS. "Developers should always encrypt traffic, especially when transmitting auth-tokens and user credentials," he said.
Security and mobile app trends
More mobile app trends
Mobile apps at forefront of technology
Using MBaaS for enterprise apps
Mobile app modernization needs rise
Rapid application version changes will cause problems if not managed well, according to Kellett. For example, poor version control protects customers from fake apps. "It's important to be able to prove that there are real versions in the app store and indeed the version the developer made hasn't been tampered with between leaving them and being received and accepted," he said.
Bottom line, mobile app security is something developers need to act upon now. "It doesn't matter what hackers are trying to do -- if you can lock down your app they can try everything under the sun," Overbaugh said. "It's a cat-and-mouse game right now. The developers, especially for the mobile platform, are woefully behind and not paying any attention to catching up."
About the author:
Maxine Giza is the associate site editor for SearchSOA.com and can be reached at firstname.lastname@example.org.
This was first published in December 2013