Gartner: Most Mobile Apps Fail Current Security Tests

Maybe not so fast, enterprise mobility. Businesses banking on BYOD strategies to navigate them through the deep waters of security breaches and confidential data leaks may have to rethink their assumptions: A new report from researcher Gartner claims that through next year, 75 percent of mobile apps won’t pass the most foundational of security tests.

That means enterprises accommodating a mobile workforce with BYOD policies in which employees can access sensitive information or carry out normal business activities inadvertently may be compromising networks and exposing confidential data.

In a phrase, mobile app testing is a developing business.

According to Dionisio Zumerle, a Gartner principal analyst, while static application security testing (SAST) and dynamic application security testing (DAST) providers are adjusting their standards to meet new security challenges, new modalities are emerging. SAST technologies finds vulnerabilies without actually executing an application while DAST identifies weaknesses in running web applications but a new test monitors a running application to detect malicious and/or risky behavior exhibited by an application in the background, such as running an audio player while detecting a user’s geolocation and sending data to an outside IP address.

“Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance,” said Zumerle. “Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”

Testing the mobile applications code and graphical user interface doesn’t go far enough, Zumerle said. Enterprises must secure the servers that communicate with mobile clients to access a businesses applications and databases with SAST and DAST technologies as well.

“Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” Zumerle said. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”

Gartner forecast that by 2017 most mobile hacking will be concentrated on smartphones and tablets. Mobile security as it stands now won't keep the breaches at bay. The researcher expects that by 2017 some 75 percent of mobile security breaches will come from mobile application misconfigurations, such as misusing a personal cloud service together with enterprise data—in other words, the dreaded operator error that businesses not only can’t control but oftentimes are unaware even exists until after the fact.