While the retail and health care industries have been rocked recently by a string of security breaches, another potential attack is massing right in the palm of your hand: your mobile apps.
Four out of 10 large corporations are failing to ensure the safety of their apps, according to new research from IBM (IBM). The study, which was undertaken with the Ponemon Institute, found that one-third of companies never test their apps before releasing them, while half of organizations have no budget for mobile security.
The findings should give mobile users pause, given the amount of sensitive data that’s carried on their smartphones, ranging from passwords to GPS information. With hackers increasingly reverse-engineering apps and releasing them on unofficial stores, that’s also increasing the likelihood that apps will include malware or security faults that could expose consumers to attacks.
“There is a race on for every company to have a mobile app out there,” Caleb Barlow, vice president of mobile management and security at IBM, told CBS MoneyWatch. “At the same time, often they are using less mature developers. If you look at the demographics they are young and ambitious, but they aren’t thinking about security, so security is an afterthought.”
The fact that about half of large organizations have no budget for mobile security is “staggering,” he added.
Other researchers besides IBM have raising alarms about the security issues prevalent in mobile applications. Security company FireEye, for one, has warned that it noticed a sixfold increase in the number of mobile malware designed to swipe financial data during the first 10 months of 2014 alone.
So far, Barlow noted, the mobile industry hasn’t been hit by the kind of large hacking attack that’s impacted the retail industry, such as the massive data breach Target (TGT) suffered last year. “We think [an attack] is just a matter of time,” he added.
While much of the responsibility for a mobile app’s security is up to the developer, consumers can take some steps to protect themselves, Barlow said.
First, use what Barlow calls “good permission fitness.” When an app asks to use data that it doesn’t need to perform its task — such as when a flashlight app asks to use the phone’s GPS — deny that request. Similarly, a map app doesn’t need access to your contacts. Keeping apps from gleaning data that’s not necessary to their function is one way to limit potential damages if an app is targeted.
Secondly, don’t “jailbreak” your phone — and make sure your teens and college students aren’t doing this — because that can open your device up to a number of security issues. Teens find jailbreaking appealing because it allows them to download apps for free, but they might not be aware that many of those apps have actually been reverse-rigged by hackers to include malware, Barlow noted.
“All of the top 100 apps on Android have hack variance, or a version of the game or banking app that still works but didn’t actually come from the publisher,” he said. Teens and college students “go to store that’s posted the app for free. In many cases what they think are free apps are apps with malware or malicious code.”
That’s why Barlow tells parents to pay for their children’s apps. He added, “That $3 you pay for an app is a whole lot less than you’ll pay to fix their identity.”