Security Experts: Time Needed for Secure Mobile App Development

Speaking at a tech summit last week, security experts agree that to develop secure mobile apps, an investment in time to apply the correct testing and auditing techniques is worth the effort.

Mobile devices are fraught with security risks, but it is still possible to develop secure mobile applications if developers are willing to invest the time and apply the proper auditing and testing techniques, according to security experts speaking at a tech summit Aug. 4.

"Right now mobile security is in a pretty dicey place," said Andrew Hoog, chief investigative officer with viaForensics, which provides forensic analysis and security techniques to ensure that mobile applications protect users' sensitive data and identity. The company has developed forensic and mobile tools for Android and iPhone smart phones that can be downloaded for free.

The company is poised to release a review of 100 popular mobile applications and plans, Hoog told attendees at CompTIA's Tech Summit on Cybersecurity in Washington. CompTIA is a trade association that promotes the global interests of IT professionals and companies.

Ten percent of the applications reviewed store passwords in plain text, Hoogsaid, giving a sneak preview of results of the viaForensics testing. Twenty percent of the financial applications failed, and, overall 83 percent of the apps either failed or got a warning about the types of data of being stored on them.

"The good news is: 17 percent passed," which means "it is possible to develop secure mobile apps," Hoog said. He noted that viaForensics just scratched the surface, looking for basic information but recovered enormous amounts of data on these mobile devices.

The consumer can't change the status of current mobile applications that pose risks. "The folks that need to change are the people who write the applications," Hoog said. However, developers don't have all the secure development life-cycle tools in place now because mobile technology is changing rapidly, he said.

Best practices for how programmers should apply mobile security are just beginning to be developed by organizations such as The Open Web Application Security Project (OWASP), he said. The focus currently is on identifying the primary attack vectors.

"It's possible to secure mobile apps," he said, but it requires a slightly different mind set. Mobile apps are downloaded onto phones but at the same time communicate with Web services behind the scenes. As a result, many technologies have been thrown together, creating a challenge.

"OWASP and organizations like that are doing a great job of evangelizing the cause for strong application security," said Brain Contos, director of global security strategy and risk management with McAfee.

Some companies want to take lessons learned on the Web side and apply them to mobile, he said.

"There is this massive chasm between network security and application security, and mobile, being a piece of that fundamentally, has a very quick catch-up time to mitigate [risks in] that front window," Contos said. "It's going to be a tough time."

About the Author

Rutrell Yasin is the senior technology editor of Government Computer News (


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.