The hole in your phone is getting bigger

New report shows that app developers are lagging far behind in keep your apps safe.

You can get an app that translates what you say into meows for your cat to hear. Or an app of a cute girl who sits and watches as you eat dinner by yourself, so you won’t feel lonely. And an app to play the game of popping a pimple on a cartoon person’s face—“Happy popping!” exclaims the developer.

You may not have those apps—yet—but you probably use other apps every day, from checking the weather or traffic for your drive home.

All of these app developers are keeping you secure, right?

No, a new report says.

Safety and security are being crushed under the weight of an app stampede, according to a report by Ponemon and IBM. The rush to churn out new mobile apps at high speed is leaving security in the lurch.

The report shows that about half of the people surveyed—more than 600 professionals who work in areas related to app security—say their companies do not even test the apps to make sure they are secure before launch.

Almost three-quarters of them said their company’s app developers do not have the skills to work security into the apps.

“Testing of applications is critical but not being done,” the report said. “Prevention of attacks on applications is a low priority.”

Why do you care?

Apps can leave a hole in your phone that leads to your bank account, among other things you might want to keep secure.

Attackers targeted people using banking apps in Australia, reported cybersecurity company ESET.

They tricked people into downloading what looked like a FlashPlayer app, ESET said. The malicious app then scanned your phone for a banking app. If it found one, it put its own password screen on top of your bank app’s password screen, so it could harvest your credentials. Then the malware waited on your phone so it could steal the special text code your banks sends you when you log-in to prove it’s really you.

Last month, Nissan disabled an app for its electric Leaf car after a security researcher found hackers could get in through the app and mess with other people’s cars, USA Today reported.

And cybersecurity company Symantec reported in January that a pornography app called “Porn ‘O’ Mania was actually a malicious app that takes over your phone and demands ransom for you to get your data back.

It will not just encrypt your files, but also “lock the device, change the device PIN, and even delete all user data through a factory reset,” Symantec said.

In addition, researchers at HPE found that 75% of mobile apps tested had a “critical or high security vulnerability,” SC Magazine reported in February.

Pressure

There is pressure to get apps out without making sure they are secure, said more than 50% of the people surveyed in the Ponemon report.

“One can only hope that the speed at which app developers are rushing to release new or updated versions of their apps is out pacing the hackers’ ability to find breaches in what little security these applications are providing,” said Paul Golden with Archer Security Group.

“It’s a race—developer versus hacker,” he added.

Though it might make a better game than “Pimple Popper,” the survey shows the “developer versus hacker” race may be weighted in favor of the hackers.

Not only did people surveyed say most of the developers in their companies don’t have the skills to do effective app security, many also said the developers saw security as a hindrance.

Developer skills

There are skilled app developers. But are there enough?

Large companies may have in-house app development teams and multiple departments, said Patrick Coyle with Chemical Facility Security News, but smaller companies may be less advanced.

“Most smaller and mid-size companies have very informal application development processes, if they have any at all,” said Coyle.

“Those are mainly done by individuals who have taken a couple of courses in school or taught themselves. Hardly any of those folks have any security training to speak of,” he said.

The survey showed about half of the organizations do not do things to help developers improve their security skills, like making sure they get security training or providing code libraries, the report said.

Apps at work

What kind of apps are you downloading onto your company phone, or your personal phone that you use to access your corporate network?

Those apps can be a risk, said Coyle, and not just to you, but your company..

The app may have security holes, or worse. 

“There are suppliers of apps out there that are deliberately adding ‘features’ that are actually cyber attack features, placing back doors or malware on the new owner’s phone,” said Coyle.

About three percent of workers at a company may have malware on their phones at any given time, reported Help Net Security, and at the same time, more and more employees are able to access sensitive work info through their phones.

Another Ponemon report released in February showed two-thirds of people surveyed said it was either “certain or likely” that their company had a data breach “as a result of employees using their mobile devices to access the company’s sensitive and confidential information.”

Not all bad

The latest Ponemon report paints a dark picture of app security.

But some cybersecurity experts say they do not think the situation is that bleak.

“I don’t believe there is a total lack of care when it comes to app security, and find it hard to believe that there is a lack of structure to the development of both secure and insecure apps,” said Daniel Lance with Archer Security Group.

The Ponemon report noted that its survey is based on people who responded, and may not capture the entire current picture of the state of app security.

Lance said there are problems, however, including developers who often reuse code from more than one game or app, and distribute vulnerabilities. The “old” code may not withstand updates in your operating system, he said.

“Code doesn’t expire, but its shelf life is limited by how it interacts with its environment,” said Lance. “Change your operating system, and things are bound to break here and there, leaving a high potential for vulnerabilities.”

“Smart phones have grown so fast that the standards for testing and reuse at most any developer are likely very low,” he said. “Negligence is less likely than ignorance in this case.”

Solutions

A basic protection for you—think before you app. 

Are you downloading an app onto the same phone that you use to look up sensitive company information?

Are you reading the app reviews for signs of trouble? 

Are you downloading an app from outside an app store, like from the web?

App stores say they vet apps before they allow them in. Their apps, however, can have problems, too, like the ghost porn apps that appeared on Google Play. Researchers said poor reviews revealed the apps as risky, and recommended people pay close attention to what users say.

Do the app stores need to do more?

“The services offering apps such as the Apple app store or Google Play store need to check for cross-platform vulnerabilities and implementation errors that leave holes for exploration from malicious attackers before offering an app for sale,” Lance said.

“The public is using an app store because it’s effortless and credible and, in some cases, the only option,” he said.

Ready for prime time? 

Company budgets for app security are growing, the Ponemon report said.

But some cybersecurity experts say there is no need for companies to rush into the business app game.

“Mobile application continue to show a lot of value for communication but they don’t yet seem to have the maturity for prime time in the business world,” said Slade Griffin with Contextual Security.

“Traditional data communication struggles with security on much more mature platforms,” said Griffin. “Adding an immature platform can increase the risk to a company’s sensitive data.”

Griffin said there are solutions in the works, like giving a phone a work and non-work partition.

However, he sad, “None of the solutions as of yet seems to be 100% ready.”

“The security of the mobile platforms hasn’t reached a high enough level to justify ‘doing business’ via a mobile platform,” he added.