Gartner: Mobile Apps Ripe for Security Exploitation

Between device loss or theft, idle malware introduced via smartphone update requests, rogue hotspots and poorly-coded apps, IT leaders in education need to start girding themselves for an onslaught of security problems related to the mobile devices carried by the students and staff they serve. According to Gartner, over the next year and through the end of 2015, more than three-quarters of mobile apps will fail "basic security tests."

Tablets are only adding to the potential wreckage. The analyst firm predicted that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Already, the company noted in a statement, there are three attacks to mobile devices for every attack to a desktop.

The bulk of mobile data breaches will be a result of "mobile application misconfigurations," not "deeply technical attacks." As an example, a user may misuse personal cloud services through apps they run on their mobile devices, which can lead to undetected data leaks of enterprise data.

A basic problem is that developers creating mobile apps don't concern themselves much with app security testing, the IT firm noted. "Most enterprises are inexperienced in mobile application security," said Principal Research Analyst Dionisio Zumerle. "Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security."

Over the last six to eight years, Gartner reported, most app-related testing has taken the traditional form of SAST and DAST, static and dynamic application security testing. The static form of testing, also known as "white-box" testing, analyzes a non-running application's source code and binaries for signs of security vulnerabilities, such as back doors or coding flaws. The dynamic form, also called "penetration" or "black box" testing, looks for clues to security problems in a running application, from the outside in. Most DAST testing examines code for Web-enabled applications.

Now a new kind of testing has surfaced specifically for mobile applications. "Behavioral analysis" monitors a running application to look for signs of "malicious and/or risky behavior" that might be going on in the background. For example, as a user is playing music through an audio player app, the app may also be getting into a user's contact list or geolocation and relaying that data to some external IP address.

Testing needs to take place at both the client layer — what the user interacts with — as well as the server layer, Zumerle said. Most of that testing will be done by vendors that specialize in running security tests.

"Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied," he explained. "App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors."

IT also needs to broaden its understanding about mobile security and add a security focus to the work they do in evaluating and developing new applications for deployment that have a mobile component.

Zumerle and other Gartner experts will be discussing security issues during this week's Security & Risk Management Summit, taking place in Dubai.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Pattern of desks with interconnected circles, triangles, and lines

    Classroom Furniture Giveaway Seeks Dream Learning Space Design

    Educators have a chance to design their ideal K-12 learning space in a contest recently announced by classroom furniture manufacturer KI.

  • futuristic crystal ball with holographic data projections

    Call for Opinions: 2025 Predictions for Education IT

    How will the technology landscape in education change in the coming year? We're inviting our readership to weigh in with their predictions, wishes, or worries for 2025.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Supported by OpenAI

    OpenAI, creator of ChatGPT, is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • sleek fishing hook with a translucent email icon hanging from it

    Phishing-as-a-Service Attacks on the Rise, Report Warns

    Cybersecurity researchers at Trustwave have identified a surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.