App Security today is the Rodney Dangerfield of IT security. Everyone knows about it, but it gets no respect. Isn't it obvious that because apps are granted greater data-sharing with other apps and the ability to update itself—directly to the mothership—without IT signoff, that perhaps this should soar to the top of the danger list?
Apparently not. Consider just a few examples from December. Computerworld notes that when Apple insisted that all app developers must up their security game and comply with App Transport Security (ATS) rules, a security report found that "on the most common 200 apps installed on iOS devices in enterprises," "97 percent of the analyzed apps -- 193 out of 200 -- used exceptions and other settings that weakened the default ATS configuration."
In short, even when a mobile OS company insists on better security—which isn't often—developers will push back. Still think your enterprise doesn't need to have a direct app security approach independent of ISVs and OS vendors?
Need more convincing? Let's see how Google's Android app security efforts are going. ARS Technica tells a tale suggesting that the Google Play Store isn't that impressive a source of security, either.
"For at least the past six months, a popular remote management app available in the official Google Play Store has opened tens of millions of Android users to code-execution and data-theft attacks when they use unsecured networks," the story noted. "AirDroid, which has been downloaded 10 million to 50 million times from the official Google Play Store, uses a static and easily detectable encryption key when transmitting update files and sensitive user data. Attackers who are on the same network can exploit the weakness to push fraudulent updates or view potentially sensitive user information, including the international mobile equipment identity and international mobile subscriber identity designations that are unique to each phone."
How many app security nightmare will it take before it’s taken seriously? Mobile apps are simply exploding far more swiftly than security considerations are. Until that changes, app security is essential.
To be explicit, the problem is protecting the apps and that needs to be a centralized approach. I've been testing quite a few mobile VPNs and have yet to find any that work more than 1-2 weeks. They all start out decently, but they quickly degrade performance to the point of absurdity. I was expecting some slower performance, which is a fine tradeoff for better security. What I found, however, were mainstream sites that wouldn't load at all and e-mail that simply couldn't download messages. That's a bit much.
Changing the supposed country of origin often helps, but briefly. Within a few days, the performance nightmares would return. (On the plus side, it's fun watching various e-commerce sites freak out when I appear to be visiting from Russia or Iran.)
It's not even that these apps necessarily contained malware. In app security, there's intended naughty behavior (aka malware) and the vastly more dangerous unintended behavior (such as a lack of encryption and other data-leakage via programmer carelessness). It's easier to test for apps that are designed to steal or do damage than ones that sort of accidentally get to the same place.