Why mobile app developers need lessons in security

When it comes to security, the tech industry has a short memory. Lessons learned during the PC era are quickly forgotten when they stand in the way of making money in the post-PC world of mobile devices.

Forgotten security

For years, Microsoft added new features to Windows and Office without much thought given to security. When the Internet started taking off in the 1990s, all the vulnerabilities that had been ignored were suddenly accessible through the global network, leaving Microsoft scrambling for the next decade plugging holes and adding technology to combat malware.

Now that we're in the mobile era, history is repeating itself.

Hewlett-Packard analyzed 2,100 iOS apps from more than 600 Forbes Global 2000 companies and found that nine in 10 had vulnerabilities. The most common were unencrypted data storage on the device, the use of insecure protocols for transmitting data and failing to take simple steps during the development process to prevent reverse engineering. The latter is what hackers use to find vulnerabilities or to create counterfeit copies of popular apps.

While HP studied only iOS apps, the company said its findings also apply to Android.

Why security is weak

The consensus among experts I talked to is that weak security is the result of developers being more interested in getting apps out to customers. There's also a general ignorance when it comes to good security practices that won't be addressed as long as speed is the priority.

Developers can get away with sloppy security because there has never been a widespread malware infection on mobile devices. Just like the days before the Internet forced Microsoft to rethink security, PC software makers didn't worry about hackers as long as infection rates were low.

The problem goes beyond just app developers. Ad networks that developers integrate into apps also introduce vulnerabilities. InMobi, which is used in many Android applications, was recently found to open a potential backdoor in a mobile device. Exploiting the flaw could enable a hacker to make phone calls, send text messages to premium rate numbers and post on social networks.

The HP study shows that developers are building product that could one day provide an open door to the underlying operating system or the Web server that the app communicates with to send and receive data.

This doesn't mean every vulnerability can be exploited. Google and Apple have built safeguards in their platforms that will stymie a lot of attacks.

But those protections can only go so far. Hackers only need to find one exploitable vulnerability to break into a smartphone and steal sensitive data, such as website credentials or contact lists.

The time to make security a fundamental in the application development process is before cybercriminals develop effective hacking tools for smartphones and tablets. I'm sure if Microsoft had it to do over again, Windows would have been secure by design from day one.

Join the discussion
Be the first to comment on this article. Our Commenting Policies