Biometrics has gained an upper hand as the security mechanism most preferred by mobile app developers.
A new Evans Data survey of mobile application developers finds that security is their top concern and biometric authentication is their primary method for providing security and privacy of applications and users.
Biometric authentication involves the use of various aspects of human physiology or behavior--such as fingerprints, retinal scans, voice and more—to provide access to systems.
According to the Evans Data's latest Mobile Development Survey, 36 percent of respondents selected biometrics authentication as their preferred method of security, followed by on-device hardware encryption (25 percent), Near Field Communication- (NFC-) based authentication (18 percent) and on-device software encryption (14 percent).
"Although biometric authentication isn't new technology, it's still considered the best form of authentication by mobile developers," Janel Garvin CEO of Evans Data, said in a statement. "Iris scans and facial recognition have more novelty, but fingerprint scans are easier for the user and thus appealing to the developer."
The Evans Data study also found that 39 percent of developers believe the application layer is most important in securing mobile applications, followed by 28 percent of respondents who said that securing the mobile operating system is most important. Yet the survey also showed that developers would most likely pursue data encryption as the primary method of securing data on devices.
Evans Data conducts its Mobile Development Survey twice a year. This most recent one, a poll of developers actively building mobile apps, was conducted in July and covers a range of topics related to development for mobile devices, including development environments, tools and software development kits (SDKs), mobility in the enterprise and cloud, security, targeted platforms by region, application, type and features.
Although the Evans Data Survey found that developers view biometrics as the preferred method of securing mobile apps, analysts at CEB, a best practice insight and technology company, challenged the efficacy of biometrics versus plain old passwords. In an article in ITProPortal, Jeremy Bergsman and Daria Kirilenko of CEB said their research shows that only about 20 percent of firms have actually deployed biometrics.
"A big reason for low adoption could be that they are less secure," the article said.
Moreover, the article notes that CEB data shows that 50 percent of organizations have not evaluated biometrics for their business and of those that have, only 16 percent are planning to deploy them in the next two years.
The CEB team maintains that biometrics will be easier to hack than passwords. "Not only are they subject to all the current attacks that work when hacking passwords, but biometric data was never designed to be secret," the CEB team's article said. "Most people make sure not to divulge their passwords, but it's difficult to imagine a world where everyone wears gloves constantly to avoid leaving fingerprints."
The article also notes that stolen biometrics have greater repercussions for users than stolen passwords because biometrics reveal uniquely personal information about a user's identity. Bergsman and Kirilenko also downplayed biometrics because biometric-based authentication lacks revocability.
Meanwhile, this year's previous edition of the Evans Data Mobile Development Survey showed that mobile developers tend to follow security protocols as a necessity.
Security has long been a top issue for mobile development. The previous Evans Data survey, released in January, showed that 56.7 percent of mobile developers follow security protocols mandated by their government.
This is especially true in North America, where 67 percent use protocols that the federal government has specified for authentication and digital signatures. Use in Asia was only slightly less, while only a third in the Europe, Middle East and Africa (EMEA) region follow government guidelines.
The most common potential security issues that developers encountered in the last year were authentication without using HTTPS, and weak server side controls—both cited by 43 percent of the developers in the survey.
In the United States, the Office of Management and Budget (OMB) guidelines advocate the use of HTTPS for authentication, but those guidelines do not necessarily apply to non-government sites. For enterprise developers, data leakage and network-level security issues compete with data tampering in transit as issues, the survey showed.
"Security is critical today in all forms of software development, but there are more vulnerabilities when it comes to mobile," Evans Data's Garvin said in a statement. "Encryption during transport over the network is one of the issues peculiar to mobility that is particularly of concern to developers, but so is encryption for data at rest on the device. As mobile devices become the de facto standard for the client, these issues have become more pressing."