A new study from Hewlett-Packard (HP) suggests mobile app developers are leaving security in the dust during the development process.
In an analysis of more than 2,100 mobile applications from more than 600 companies within the Forbes Global 2000, HP found that while 97 percent accessed at least one private information source on the device such as a personal address book or social media page 86 percent did not have adequate security measures in place to protect them from exploits such as cross-site scripting and the misuse of unencrypted data.
In addition, 18 percent of applications tested sent user names and passwords over HTTP. Of the remaining 82 percent, 18 percent incorrectly implemented SSL/HTTPS. Seventy-five percent of the apps did not use proper encryption techniques when storing data on mobile devices. This failure to properly use encryption is one of the most serious types of vulnerabilities present in mobile applications, said Daniel Miessler, principal security architect for HP Fortify.
“As with most security issues, developers usually fail to encrypt their data on the file system or across the network because it’s simply more difficult to do so,” said Miessler.
Beyond the issue of encryption, many developers are not using binary hardening techniques to protect their work. According to HP, 86 percent of applications tested lacked binary hardening and were left open to information disclosure, buffer overflows, poor performance and other issues.
“Security takes a back seat because functionality is king and being fast to market is key,” he added. “Features and functionality are what sell the software for these various companies, and therefore this is where the focus is placed. The solution for achieving better security is to simultaneously educate developers in how to create secure code easily, to integrate security checks into the development lifecycle, and to make the development of applications more secure by default.”
In August, a survey by application security firm Security Innovation indicated that a disconnect between app developers and executives in regard to their views on the maturity of their organization’s secure app development process. While 75 percent of executives agree that defined secure architecture standards exist in their organization, only 23 percent of technicians and 35 percent of staffers thought so. In addition, 43 percent of the respondents said their organization had a defined software development process in place. Of these, only 69 percent adhere to the defined process, while 21 percent said their organization doesn’t and 10 percent were unsure.
“While mobile devices are becoming more and more critical to conducting business, they are also becoming prime targets for attack, with vulnerable applications providing access to sensitive data,” Mike Armistead, vice president and general manager for Enterprise Security Products for HP Fortify, said in a statement. “Mobile applications now are the first line of defense against the adversary and organizations must be equipped to assess, assure and protect these applications to prevent damage from exploits.”