Today, I’m a psychic.And my prediction for the upcoming year is this: Mobile applications will become hacker’s target of choice.According to Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, “The average organization tests fewer than half of the mobile applications it builds, and 33 percent of the surveyed companies never test their apps.”Not only is the lack of testing an issue, but the ease of performing a hack is a real problem. So much so that a novice could steal your information, right out of the palm of your hand. Literally.Probably not the type of palm reading you were hoping for.
Likewise, the 2016 Hewlett Packard Enterprise study found that a staggering 96 percent of 36,000 mobile applications failed at least 1 of 10 privacy tests.With all this insane data, why is the security of mobile apps being neglected?Maybe, organizations are unaware of the statistics. Or maybe, they don’t have the money or resources to get ahead of the problem. Perhaps, it’s not a lack of knowledge or resources, but the fact that they just haven’t found a fool-proof solution.Whatever the case is, it is a serious problem, and the laundry list of mobile application vulnerabilities continues to grow.That list includes, but is not limited to:
- Login-related weaknesses
- Apps allowing weak passwords
- Unintended data leakage, through syncing or other modes of data in transit
- Broken cryptography/ lack on encryption
- Unauthorized access
- Unsecured data storage
I don’t need a crystal ball to tell me that disaster is looming if changes are not made, and soon.In a post from TechTarget, they pose that “All it takes to access the data stored on an unlocked smartphone running a poorly written app, is a simple extraction of the file attached to the mobile application, then a query. This action can tell you anything you want to know about the data stored in that app, which is especially troublesome if the database connects to a back end system. Because of these mobile application vulnerabilities, sensitive data should be encrypted at the device level, and external connections should be encrypted as well.”Your mind probably jumps to the banking application you so frequently use, but this issue expands to applications across industries and their tendencies to fly under company’s security radars.For example, back in February, Nissan’s ‘Leaf’ app, NissanConnect, which allowed owners of its electric Leaf car to control their cars' heating and cooling from their phones was disabled after an Australian researcher showed he could use it to control others' cars as well.This is just one cautionary tale for organizations of all sizes, but leads us to the important questions. What are the solutions to this problem? Who are responsible for implementing them?
My figurative tarot cards are telling me that this is a multi-faceted issue, with responsibilities falling on both companies and application developers, as well as the end-user of said applications.The solution from an organizational/ developer perspective is to build better, more secure applications, and test them frequently, which may be easier said than done.And from a user perspective, the answer is to lock your apps, create better passwords, and educate yourself on which apps are accessing what data, and if they should be.I bet you didn’t know Snapchat can end up knowing pretty much everything about you — your name, your exact location right now, who your friends are, and when you message them. This 0P3n post “Social Media and Apps ‘Stealing’ Your Information – Mobile Security Test Tools” is a rude awakening to those, like myself, who are avid users of the not-so-friendly ghost.Regardless of how scary, I highly recommend using this article as a starting point in protecting your apps.And, for both mobile applications users and IT professionals alike, there is another common solution: Educating yourself using the newly unveiled skill certification tests from Cybrary. Two tests come to mind in regards to mobile application security, Protecting Data in Transit and Mobile Device Security Fundamentals.These skills certifications act as micro-credentials in their respective areas, teaching troubleshooting knowledge, as well as how to securely deliver updates and applications to mobile devices, to implementing secure transport protocols.Get certified and I see data security in your future.