Bekker's Blog

Blog archive

Gartner Raising a Scare About Mobile Apps

How secure are those mobile apps that users bring into company networks via their own devices? Not very, according to researchers at Gartner. Nor is the situation likely to improve soon.

As part of the Gartner Security and Risk Management Summit this week in Dubai, Gartner principal research analyst Dionisio Zumerle flagged mobile apps as an emerging route for attackers to get into enterprise networks and steal corporate data.

"Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance," Zumerle said in a statement. "Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security."

Gartner contends that through 2015, more than three out of four mobile applications will fail basic security tests, and encourages enterprises to get aggressive about testing apps that access corporate data and about exploring technologies that help contain the activity of apps on mobile devices, such as wrapping and hardening.

"Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied," Zumerle said. "App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors."

Gartner called out static application security testing and dynamic application security testing as two categories of vendors working to improve the capabilities of their toolsets for mobile app testing. Another promising area, according to Gartner, is behavioral analysis, which monitors running apps to detect risky behavior, such as accessing users' contact lists or locations. It's equally important, the research firm warns, to test or certify security on the servers the apps access, whether internal to an enterprise or those that provide back ends for third-party apps.

The attacks on mobile endpoints are still relatively immature and Gartner anticipates that three-quarters of mobile security breaches through 2017 will result from misconfigurations rather than deeply technical attacks.

Nonetheless, the attackers are rushing at tablets and smartphones. "Already there are three attacks to mobile devices for every attack to a desktop," according to Gartner.

Posted by Scott Bekker on September 17, 2014