HP report finds serious security issues with custom mobile apps

pcwMobile devices have transformed the way people work—empowering them to be productive any time and from virtually anywhere. Many enterprises have created custom apps to embrace the mobile trend, but the results of a new study from HP indicate that most of these custom apps are a security incident waiting to happen.

HP analyzed more than 2,100 mobile apps published by companies listed on the Forbes Global 2000 to compile the HP Mobile Application Security Vulnerability Report – November 2013. The research spanned 601 companies located across 50 different countries, and representing 76 separate industries. In a nutshell, the study is a fairly comprehensive cross-section of enterprise mobile apps in circulation.

What HP found is a bit scary. Almost every single one of the enterprise apps HP looked at—97 percent—contained privacy flaws. For example, HP discovered banking apps that integrate with social networks, chat apps that send logs off to third-parties for analysis of purchasing trends, and a number of applications that track your location.

Many apps request access to data they don’t really need. In some cases, the request is a surreptitious attempt to siphon information, but very frequently it’s just lazy coding. Developers create apps that request access to everything because it’s easier than writing code limited to what the app really needs, and it leaves options open in case they choose to expand the functionality at a later point in time. Regardless of the reason, apps that request access to personal data are a potential privacy concern.

HP found that 86 percent of the apps it analyzed do not implement even basic security protections to defend the apps against common exploits or malware attacks. Three out of four of the apps HP looked at fail to use proper encryption techniques, and leave data exposed to potential compromise.

Many of these apps are actually commissioned by the enterprise and developed by independent third-party contractors. The enterprise itself only cares if the apps have the requested features and functionality, and may not even be aware of the security or privacy issues. That is the problem.

I spoke with Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify, HP, about the findings in this report. Armistead explained that HP expected to uncover issues, but that the scope and extent of the security and privacy concerns they found was shocking.

Security needs to be part of the coding process—baked in at the core of the app. Tacking on security controls after the fact, or trying to mitigate risk with layers of defense like firewalls are better than nothing, but they’re not truly adequate solutions. Some security concerns can be minimized through MDM (mobile device management) or MAM (mobile application management) platforms, but inevitably there will still be holes—sometimes in the MDM or MAM tool itself.

These issues are not new or unique to mobile apps. Enterprises have always struggled with security—whether for custom software, custom Web applications, or custom mobile apps. The pressure to develop apps quickly and cheaply leads to corners being cut. Unfortunately, security is generally the first corner to go.

There are two things enterprise admins need to do to fix this situation. The first is to analyze the mobile apps that have already been created—just as HP has. Identify the security and privacy concerns, and find ways to permanently fix, or at least mitigate the risk.

The second—and more important—step is to improve the development process for future mobile apps. Make sure that security is factored in from the beginning, and test and analyze the app as it is being developed so that any issues can be discovered and corrected before the app is deployed to the users.