Gartner: Mobile Apps Ripe for Security Exploitation

• By Dian Schaffhauser
• 09/15/14

Between device loss or theft, idle malware introduced via smartphone update requests, rogue hotspots and poorly-coded apps, IT leaders in education need to start girding themselves for an onslaught of security problems related to the mobile devices carried by the students and staff they serve. According to Gartner, over the next year and through the end of 2015, more than three-quarters of mobile apps will fail "basic security tests."

Tablets are only adding to the potential wreckage. The analyst firm predicted that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Already, the company noted in a statement, there are three attacks to mobile devices for every attack to a desktop.

The bulk of mobile data breaches will be a result of "mobile application misconfigurations," not "deeply technical attacks." As an example, a user may misuse personal cloud services through apps they run on their mobile devices, which can lead to undetected data leaks of enterprise data.

A basic problem is that developers creating mobile apps don't concern themselves much with app security testing, the IT firm noted. "Most enterprises are inexperienced in mobile application security," said Principal Research Analyst Dionisio Zumerle. "Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security."

Over the last six to eight years, Gartner reported, most app-related testing has taken the traditional form of SAST and DAST, static and dynamic application security testing. The static form of testing, also known as "white-box" testing, analyzes a non-running application's source code and binaries for signs of security vulnerabilities, such as back doors or coding flaws. The dynamic form, also called "penetration" or "black box" testing, looks for clues to security problems in a running application, from the outside in. Most DAST testing examines code for Web-enabled applications.

Now a new kind of testing has surfaced specifically for mobile applications. "Behavioral analysis" monitors a running application to look for signs of "malicious and/or risky behavior" that might be going on in the background. For example, as a user is playing music through an audio player app, the app may also be getting into a user's contact list or geolocation and relaying that data to some external IP address.

Testing needs to take place at both the client layer — what the user interacts with — as well as the server layer, Zumerle said. Most of that testing will be done by vendors that specialize in running security tests.

"Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied," he explained. "App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors."

IT also needs to broaden its understanding about mobile security and add a security focus to the work they do in evaluating and developing new applications for deployment that have a mobile component.

Zumerle and other Gartner experts will be discussing security issues during this week's Security & Risk Management Summit, taking place in Dubai.