Just about every pocket these days has a smartphone tucked into it but on those smartphones are dozens, if not hundreds, of apps each. These form the web of functionality that the modern world uses to hail a ride, book a dinner table or just look up a question, but are they being developed from the ground up for modern threats?
According to Joshua Wright, senior instructor and counter-hack technical director for the SANS Institute, the answer is a resounding no. In an interview with IT Business Edge, Wright explained how the majority of mobile app developers may have strong technical chops, but they’re not exactly security experts. And when push comes to shove from publishers eager to get products out on the market as fast as possible, security measures can end up on the chopping block.
“Frequently, developers don’t have a strong understanding of the threats associated with mobile device platforms or the app development frameworks they utilize,” Wright told IT Business Edge. “This, combined with the quick-to-market app delivery model, has led to hundreds of thousands of insecure apps throughout the iOS and Android app stores.”
However, app developers shouldn’t be stuck with shouldering all of the blame for a compromised app ecosystem. In large part, security measures that work for corporate entities (i.e., firewalls distinguishing between an internal and external network) don’t quite apply to a mobile world, where access is universal and multidirectional. Moreover, developers aren’t always the final say in whether or not their apps remain secure, because they have no control over deliberate or inadvertent changes that consumers make once their products go live.
“Security, to a large extent, falls onto the user,” Robert Gravelle, owner of Gravelle Web Design, told IT Business Edge. “The widespread practice of device rooting by Android users is only increasing risk because it circumvents the security restrictions put in place by the operating system.”