Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Security Lax Among Mobile Applications From Forbes Global 2000, Survey Finds

A new study from Hewlett-Packard (HP) suggests mobile app developers are leaving security in the dust during the development process.

A new study from Hewlett-Packard (HP) suggests mobile app developers are leaving security in the dust during the development process.

In an analysis of more than 2,100 mobile applications from more than 600 companies within the Forbes Global 2000, HP found that while 97 percent accessed at least one private information source on the device such as a personal address book or social media page 86 percent did not have adequate security measures in place to protect them from exploits such as cross-site scripting and the misuse of unencrypted data.

In addition, 18 percent of applications tested sent user names and passwords over HTTP.  Of the remaining 82 percent, 18 percent incorrectly implemented SSL/HTTPS. Seventy-five percent of the apps did not use proper encryption techniques when storing data on mobile devices. This failure to properly use encryption is one of the most serious types of vulnerabilities present in mobile applications, said Daniel Miessler, principal security architect for HP Fortify.

“As with most security issues, developers usually fail to encrypt their data on the file system or across the network because it’s simply more difficult to do so,” said Miessler.

Advertisement. Scroll to continue reading.

Beyond the issue of encryption, many developers are not using binary hardening techniques to protect their work. According to HP, 86 percent of applications tested lacked binary hardening and were left open to information disclosure, buffer overflows, poor performance and other issues.

“Security takes a back seat because functionality is king and being fast to market is key,” he added. “Features and functionality are what sell the software for these various companies, and therefore this is where the focus is placed. The solution for achieving better security is to simultaneously educate developers in how to create secure code easily, to integrate security checks into the development lifecycle, and to make the development of applications more secure by default.”

In August, a survey by application security firm Security Innovation indicated that a disconnect between app developers and executives in regard to their views on the maturity of their organization’s secure app development process. While 75 percent of executives agree that defined secure architecture standards exist in their organization, only 23 percent of technicians and 35 percent of staffers thought so. In addition, 43 percent of the respondents said their organization had a defined software development process in place. Of these, only 69 percent adhere to the defined process, while 21 percent said their organization doesn’t and 10 percent were unsure.

“While mobile devices are becoming more and more critical to conducting business, they are also becoming prime targets for attack, with vulnerable applications providing access to sensitive data,” Mike Armistead, vice president and general manager for Enterprise Security Products for HP Fortify, said in a statement. “Mobile applications now are the first line of defense against the adversary and organizations must be equipped to assess, assure and protect these applications to prevent damage from exploits.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.