It certainly has taken long enough, but it seems like non-tech media outlets have figured out that applications make wonderful entry points for cyberthieves. Given the layers of complexity that many enterprise apps feature today, it's hardly surprising that they boast massive security holes. That message seems to be finally sinking in.

Consider just a few recent media reports, from NBC News on banking app holes, WRAL TV in security issues with pregnancy apps and PYMNTS about how cyberthieves are directly aiming for applications.

Assuming we are seeing a solid change in perception for app security—as opposed to this being just a few exceptions to the rule—the credit likely goes to mobile app developers. No, not for effective championing of security issues. They deserve the credit for forcing consumers to confront how ludicrously non-secure mob app development is.

To defend app developers, it's easy to see how these security holes crop up. It's sometimes not a weakness in the app directly, but a weakness that only materializes when that app interacts with the mobile OS or some applet on the phone.

When Starbucks found itself retaining passwords in clear text, the activating culprit turned out to be a popular—and seemingly innocuous—crash-detector. The detector was supposed to capture as much data as possible the instant it detected a crash, so that the data could be analyzed to determine the likely cause of the crash. Among the data it grabbed and retained were clear-text versions of passwords.

Walmart's mobile got tripped up on iPhones by the routine iTunes backup system. It captured everything associated with app data—including some things Walmart had never intended to be accessible to iTunes.

But please let me now take back much of that mobile app developer defense. The truth is that all of these interactions—app-to-app, app-to-OS, app-to-third-party-applet—happen even more in the enterprise world for servers and desktop/laptop. The difference? The mobile universe makes it an order of magnitude easier to download a new app. Yes, corporate employees download their own unauthorized apps on corporate laptops all the time, but they don't do so at nearly the frequency as their mobile counterparts.

That said, I'll take anything that gets the masses to understand app security and how dangerous it can be if unchecked.

About Evan Schuman

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.