There are more than 1.5 million iOS apps and roughly the same number for Android. That plethora makes it tough for developers to grab market share -- and provides plenty of opportunities for hackers.
Every day last year, 10,000 additional Android threats were discovered and iOS malware grew more than 230%, according to a new Hewlett Packard Enterprise study. Many of those threats are due to slapdash development, a byproduct of enterprises, educational and SMB outsourcing. As 5G and the New IP connect organizations' intellectual property, proprietary information and customer data, enterprises must scrutinize their weakest links, which they may find as nearby as their third-party developers' doors, HPE says.
"Typically they turn on all the logging features because that's useful for debugging and development, and then they don't turn them off," says Chandra Rangan, vice president of marketing for HPE security products, in an interview.
That's one reason more than half the applications analyzed accessed geolocation data even though many don't need that information, reported Hewlett Packard Enterprise . Ditto for the more than 40% of iOS games and more than 50% of iOS weather apps that accessed calendar data.
Cooling the Hot Spots
For enterprises, those practices mean calendar attachments filled with meeting topics, participant contact info and confidential notes can wind up in, say, a game developer's cloud. Even if that developer never intended to harvest this information, it's still there -- and vulnerable to hackers.
But these kinds of vulnerabilities also create opportunities for developers to differentiate themselves in the hypercompetitive app market. Many enterprises are aware of such risks, judging by the response HPE got when it presented the study at the RSA Conference earlier this month. For those that aren't, developers could provide a bit of education around this point in their RFP responses and marketing collateral.
"When you build security into your development process, you show more discipline and hygiene,"Rangan says. "That could easily be a competitive differentiator."
Indeed, anecdotal evidence suggests developers increasingly use security as a differentiator in both the consumer and enterprise markets. Wire, for example, emphasizes its end-to-end encryption to stand out in the crowded messaging app space. German developer Teamwire stresses its adherence to its nation's strong privacy and data-protection mandates.
Efforts on the consumer side are noteworthy for enterprises with bring-your-own-device (BYOD) policies because, for example, games and social networking apps may harvest calendar, contact and location information related to work. To reduce those risks, organizations with BYOD policies should advise employees to select "no" when a non-work app asks for permission to access calendar, contact or location information. Another option is to use mobile device management (MDM) tools with persona/container features, which can limit exchanges of information between personal and work apps.
When it comes to their own apps, enterprises may require the developers they hire to shut off logging and other potentially risky features. Some enterprises go a step further and hire a separate firm to confirm the developer makes good on that requirement.
"We’re seeing a ramp up in companies that are doing app development testing," Rangan says.
— Tim Kridel, Freelance Contributor. Follow him on Twitter @TimKridel. Special to The New IP