The XcodeGhost vulnerability shows that security needs to be baked into the development of apps

Both organisations and employees want to do more of their work via mobile apps. It’s simply the direction the workforce is headed. The average employee has three different devices that he or she is working between; mobile apps make the working world a more convenient, productive and responsive place.

While organisations are quick to take advantage of the positive aspects of mobile, they’re struggling to keep up with the amount of app development and app expertise that’s needed to power an app workforce.

Gartner says that the demand for enterprise mobile apps will outstrip available development capacity five to one. The result? Enterprises either aren’t properly equipped to be developing the apps that they’re releasing, or they become heavily dependent on hiring outside resources to build and update these apps or employees are choosing their own apps.

> See also: The checklist for enterprise mobile apps that are flexible yet secure

This environment is troubling for a few reasons. First, app developers in general, not just enterprise app developers, don’t prioritise security as they’re building apps. While apps are rapidly developed and deployed for productivity, they often leave behind holes that can be exploited.

We’ve seen this in the consumer world, and we see it in enterprise as well. Second, the problem isn’t just that these apps are floppy on security, it’s also the fact that organisations are welcoming apps through the front door without adequate endpoint protection in place.

How your app developers value security

In March, Ponemon Institute and IBM released a study that examines how 400 large organisations develop mobile apps, and how secure they are. According to the report, 73% of respondents say they lack training or understanding of secure coding practices with mobile apps. Meanwhile, the 'rush to release' is felt by 77% of respondents.

When asked what was most important in app development, IT professionals reported user experience to be the top priority (44%), followed by ease of development (24%), performance (15% and security (11%), trailed only by scalability (6%).

It sets a bad precedent when security is not prioritised or baked into the design and development of apps.

Take the recently revealed XcodeGhost mobile threat. Developers unwittingly added malicious code to their applications after using a repackaged version of Apple’s development environment Xcode.

The creators of this malicious version of Xcode distributed it through Chinese forums where downloading would be much faster than if developers were to download the legitimate tool from Apple’s website. Putting convenience over security, the developers wound up downloading the malicious tool and creating a big security headache for themselves and others.

Following the money: where’s the security?

At the highest level, businesses prioritise app development over app security from a resourcing and investment perspective.

Enterprises spend an average of £22 million on mobile app development per year, yet a meagre six percent of this, or £1.3 million, is earmarked for security purposes according to Ponemon for IDG.

Perhaps even more concerning, the study found that 50% of companies devote none of their mobile app development budget to security, while 40% said they weren't scanning their mobile apps for vulnerabilities.

This tells you that it’s not just security at the app development stage that’s de-prioritised, we also see a lack of investment with endpoint security of mobile apps. Businesses have started to enforce BYOD and mobile device management (MDM) policies that help prevent insecure apps being downloaded from untrusted sources or prevent unsecured networks.

But at the heart of it, these solutions don't tell you if an app is malicious. Whether you've sideloaded an app or downloaded one from the app store, in this environment where apps aren’t developed with security as a priority, you need mobile threat protection to highlight what is risky and malicious.

App-centric workforce demands better security

Is there sufficient security baked into today’s app-centric workplace? No. Does this bring risk to the enterprise? Yes.

Mobile security firm Lookout recently ran a survey with IDG, connecting with 100 IT leaders from global organisations, and found that a staggering 74% of respondents had already experienced a breach via mobile. Of those respondents, 38% reported that the breach was caused by apps with security vulnerabilities and 32% due to apps with malware.

Mobile threats and malware can enter an organisation in a variety of methods, whether or not a workforce app is developed with security best practices. But in this environment, where we know that the rush to release apps introduces increased risk, what should organisations be doing?

Enterprises must have visibility of devices connecting to their network and visibility of all installed apps in order to spot malicious capabilities or vulnerabilities tied to those mobile devices. This doesn’t mean using MDM solutions in isolation, but also having a security layer complementing that.

> See also: What about the cloud apps? Why controlling them is the key to business-friendly BYOD

But it's not all doom and gloom here. We are seeing that organisations are starting to take action. The IT leaders surveyed in the IDG report recognise the risks and are making it a priority to invest in security solutions that protect mobile devices and in turn, the data they access and store via mobile apps.

They recognise that data shifting to mobile and mobile apps puts them at greater risk and are therefore prioritising mobile security investments.

We need parity between development and deployment on the one hand and security on the other. Hopefully this is the beginning of that equilibrium.

Sourced from Gert-Jan Schenk, ‎Vice President EMEA, Lookout

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics