Forty-five percent of chief information officers (CIOs), technology executives, and IT employees view mobile devices as a weak spot in their cybersecurity defenses. This according to “Your Biggest Cybersecurity Weakness Is Your Phone,” a piece published last week in Harvard Business Review. The essay lays out some best practices for securing mobile devices within the enterprise; whether they’re corporate-owned, personally enabled (COPE) devices, or employee-owned devices falling under the bring-your-own-device (BYOD) category. The problem is, the article ignores a key battlefront in the war on mobile risk – leaky mobile apps.
What is a leaky mobile app?
A leaky mobile app is an otherwise legitimate app available on an internal or external app store that is not developed for malicious purposes (i.e., is not malware), and the app insecurely handles personal or corporate data and/or contains a security flaw that can result in the loss or theft of that data. In our research, we find that at least 25 percent of publicly available apps include at least one high-risk security flaw.
Unfortunately, not enough companies communicate secure mobile development best practices to their mobile app development teams or train them how to develop secure mobile apps that avoid storing and transmitting sensitive data. This lack of education and training – along with a failure to perform mobile app security testing of mobile apps before they’re released to the public or staff – leads to the deployment, download and use of mobile apps that put users, employees, and the enterprise at risk.
The effects of leaky mobile apps
If it’s not already self-evident, you start to grasp the problem of leaky mobile apps with statistics about the average number of apps installed on a mobile device and the number of apps that include a high-risk security flaw.
According to Mary Meeker’s Internet Trends 2016 report, there are 33 apps installed on the average device. As mentioned earlier, 25 percent of publicly available mobile apps include at least one high risk security flaw based on the 2016 NowSecure Mobile Security Report. If we extrapolate these statistics, the average device has installed at least eight vulnerable apps.
The Ponemon Institute has reported that there are 53,844 mobile devices in the average Forbes Global 2000 company. If you apply our extrapolation of 8.25 vulnerable apps per device to the Ponemon Institute’s number, there’s potentially 444,000 vulnerable apps residing on the devices used by an enterprise’s workforce.
That’s a shocking number of potential holes, and one that CIOs and chief information security officers (CISOs) can’t afford to ignore.
How to counter the threat of leaky mobile apps
The Harvard Business Review article provides a great start for addressing mobile threats with a number of good, actionable best practices such as:
- Spreading mobile risk and security awareness among leadership and staff
- Investing in technology to secure mobile data and endpoints
- Performing an audit of networks and the mobile devices that use them
- Hiring a digital forensics specialist to investigate mobile security issues
- Tips for individuals about how to secure their mobile devices (that align with our “20 Tips for Better Mobile Security” infographic)
The only problem is the author doesn’t quite go far enough. CIOs and CISOs also need to devote resources and budget to reducing the risk inherent in vulnerable internal or third-party mobile apps that fail to protect sensitive personal and corporate data.
To avoid developing and deploying risky internal apps, and to limit the use of vulnerable apps downloaded from the App Store or Google Play by the workforce, CIOs and CISOs should do the following:
- Establish a framework for the development of secure mobile apps
- Assess the security of every mobile app developed by the enterprise using static and dynamic mobile app security testing as part of build-and-deploy cycles
- Perform mobile app vetting of third-party mobile apps used by employees
If you find yourself challenged by any of these basic requirements of a mobile app security program, contact us to find out how NowSecure can help. We can assist you in developing a secure mobile app development framework, auditing and certifying your mobile apps, using technology to make mobile app security testing more accurate and efficient, and/or vetting third-party mobile apps.