IBM Study Shows Mobile App Developers Neglecting Security

A joint study with IBM and the Ponemon Institute highlights lax security practices amongst enterprises.

IBM logo

IBM Security and the Ponemon Institute announced the results of a joint study that indicated that an alarming rate of mobile app developers are not investing in security.

Indeed, the study's findings show that nearly 40 percent of large companies, including many in the Fortune 500, are not taking proper precautions to secure the mobile apps they build for customers.

The study also found organizations are poorly protecting their corporate and BYOD mobile devices against cyber-attacks—opening the door for hackers to easily access user, corporate and customer data.

All the while, the number of mobile cyber-security attacks is continuing to grow. At any given time, malicious code is infecting more than 11.6 million mobile devices, according to IBM.

The Ponemon Institute and IBM Security study, which researched security practices in more than 400 large organizations, found that the average company tests less than half of the mobile apps they build. Also, 33 percent of companies never test their apps—creating all kinds of entry points for hackers to tap into business data via unsecured devices. While these numbers may seem shocking, they aren't surprising when, according to the study, a full 50 percent of these organizations were found to devote zero budget whatsoever toward mobile security.

"Building security into mobile apps is not top-of-mind for companies, giving hackers the opportunity to easily reverse-engineer apps, jailbreak mobile devices and tap into confidential data," Caleb Barlow, vice president of Mobile Management and Security at IBM, said in a statement. "Industries need to think about security at the same level on which highly efficient, collaborative cyber-criminals are planning attacks. To help companies adopt smart mobile strategies, we've tapped the deep security expertise of IBM Security Trusteer, bringing what we've learned from protecting the most sensitive data of complex organizations—such as top global banks—and applying it to mobile."

Hackers are now taking advantage of the popularity of insecure mobile apps, public WiFi networks and more to break into the highly valuable data often housed on BYOD and corporate mobile devices. Further, they're also tapping mobile devices as an entry portal into an organization's broader, confidential internal network.

Meanwhile, the study uncovered major security flaws in the ways most organizations build and deploy mobile apps for their customers. The organizations studied, of which 40 percent are Fortune 500 companies, operate in industries that work with highly sensitive data, including financial services, health and pharmaceuticals, the public sector, entertainment and retail.

Among the organizations, each spent an average of $34 million annually on mobile app development. Despite this large budget, only 5.5 percent of the total is currently being allocated to ensuring that mobile apps are secure against cyber-attacks before they are made available to users.

The study showed that most organizations tend to prioritize speed-to-market and user experience over security. And they tended to scan their mobile apps for security vulnerabilities infrequently and much too late, if at all, leaving entry points that hackers are increasingly exploiting. According to IBM X-Force research, in 2014 alone, more than 1 billion pieces of personally identifiable information (PII) were compromised as a result of cyber-attacks.

"Shouldn't building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them?" said Larry Ponemon, chairman and founder of the Ponemon Institute, said in a blog post. "After all, retrofitting an app for security is similar to putting brakes on a car when it's already cruising down the road; it just doesn't work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies."

Moreover, during the creation of mobile apps, end-user convenience is trumping end-user security and privacy. According to the study, 65 percent of organizations said the security of their apps is often put at risk because of customer demand or need, and 77 percent cite "rush to release" pressures as a primary reason why mobile apps contain vulnerable code.

Of the companies that actually do scan for vulnerabilities before deploying apps to the market, only 15 percent of them test their apps as frequently as needed to be effective. Meanwhile, with the increasing popularity of BYOD policies in enterprises, many companies are continually changing their strategies when it comes to mobility. For instance, 55 percent of the individuals surveyed said their organizations do not have a policy that defines the acceptable use of mobile apps in the workplace, and a large majority—67 percent—of companies allow employees to download non-vetted apps to their work devices. Additionally, 55 percent of organizations say employees are permitted to use and download business apps on their personal devices.

IBM's way to address some of these mobile security concerns is a new mobile threat management (MTM) technology built into its IBM MobileFirst Protect offering. IBM MobileFirst Protect Threat Management is designed to automatically detect suspicious activities on mobile endpoints, and stops malware the moment a device is breached. This cloud-based technology enables organizations to be better armed against rapidly evolving and sophisticated threats and attacks, the company said.

A copy of Ponemon/IBM study can be found here.