Developers Beware: Poor Coding Practices Results in Poor Mobile App Security
Enterprise organizations interested in developing their own mobile apps would benefit from reading HP Security Research’s new Cyber Risk Report 2015. The report presents an in-depth look at enterprise IT security overall, and like other security reports, it mobile app security and the threat of mobile malware.
But what is particularly chilling is the report’s findings on security vulnerabilities that result from poor coding practices. It’s worth quoting HP’s summary of poor mobile app security in full:
“The primary causes of commonly exploited software vulnerabilities are consistently [sic] defects, bugs, and logic flaws. Security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. Much has been written to guide software developers on how to integrate secure coding best practices into their daily development work. Despite all of this knowledge, we continue to see old and new vulnerabilities in software that attackers swiftly exploit. It may be challenging, but it is long past the time that software development should be synonymous with secure software development. While it may never be possible to eliminate all code defects, a properly implemented secure development process can lessen the impact and frequency of such bugs.”
How do these programming errors play out in the world of mobile app security?
Big Threats from Bad Coding Habits
The report’s ranking of the top five mobile vulnerabilities stemming from poor coding practices are:
- Privacy violation: 74%
- Insecure storage: 71%
- Insecure transport: 66%
- Insecure deployment: 62%
- Poor logging practice: 47%
These results highlight poor mobile app security as well as violate broader corporate security policies and best practices. More specifically – and more troubling – poor mobile app security insufficiently protects enterprise data in storage and in transit. Should enterprise data, which often contains sensitive information like intellectual property, financial information, and personally identifiable information (PII), become compromised and accessed by unauthorized users, it will surely damage the offending company’s brand equity, destroy customer loyalty and draw a compliance violation.
So, what are the implications of poor coding practices and insufficient mobile app security? On closer examination of mobile apps, the following common problems were reported:
- Insecure storage due to insufficient data protection: 54%
- Poor logging practice: 47%
- Weak cryptographic hash: 43%
- Missing jailbreak detection: 37%
- Know mobile attack surface fingerprint: 34%
The report also found that mobile apps often improperly used geolocation, potentially disclosing confidential data about locations, and screen caching.
The Importance of Secure Mobile Apps
Mobile computing is going to be increasingly important in the years ahead. It’s already the preferred medium for many employees, and in the next five years, we can expect even more work to involve mobile apps.
To take advantage of this mobile revolution and further increase productivity, many enterprises are now developing their own mobile apps in-house. This is laudable but difficult work. Mobile operating systems like Android are still relatively young. Legacy data systems are old, diverse, and scattered across the enterprise.
Marrying the latest in secure mobile file sharing and simple integration with diverse legacy systems, such as Enterprise Content Management (ECM) systems including Microsoft SharePoint and EMC Documentum, is no easy task. But it’s a task that, if done well, promises to yield tremendous benefits in terms of productivity, efficiency, and operational agility.
As this report indicates, however, these benefits can be quickly undermined by data breaches resulting from poor mobile app security. Enterprise development teams should therefore heed the warnings of this report and strive for mobile app security when developing functional mobile apps. By designing applications that enhance productivity without compromising mobile app security, developers will avoid these common pitfalls.