Security Experts: Time Needed for Secure Mobile App Development

Speaking at a tech summit last week, security experts agree that to develop secure mobile apps, an investment in time to apply the correct testing and auditing techniques is worth the effort.

Mobile devices are fraught with security risks, but it is still possible to develop secure mobile applications if developers are willing to invest the time and apply the proper auditing and testing techniques, according to security experts speaking at a tech summit Aug. 4.

"Right now mobile security is in a pretty dicey place," said Andrew Hoog, chief investigative officer with viaForensics, which provides forensic analysis and security techniques to ensure that mobile applications protect users' sensitive data and identity. The company has developed forensic and mobile tools for Android and iPhone smart phones that can be downloaded for free.

The company is poised to release a review of 100 popular mobile applications and plans, Hoog told attendees at CompTIA's Tech Summit on Cybersecurity in Washington. CompTIA is a trade association that promotes the global interests of IT professionals and companies.

Ten percent of the applications reviewed store passwords in plain text, Hoogsaid, giving a sneak preview of results of the viaForensics testing. Twenty percent of the financial applications failed, and, overall 83 percent of the apps either failed or got a warning about the types of data of being stored on them.

"The good news is: 17 percent passed," which means "it is possible to develop secure mobile apps," Hoog said. He noted that viaForensics just scratched the surface, looking for basic information but recovered enormous amounts of data on these mobile devices.

The consumer can't change the status of current mobile applications that pose risks. "The folks that need to change are the people who write the applications," Hoog said. However, developers don't have all the secure development life-cycle tools in place now because mobile technology is changing rapidly, he said.

Best practices for how programmers should apply mobile security are just beginning to be developed by organizations such as The Open Web Application Security Project (OWASP), he said. The focus currently is on identifying the primary attack vectors.

"It's possible to secure mobile apps," he said, but it requires a slightly different mind set. Mobile apps are downloaded onto phones but at the same time communicate with Web services behind the scenes. As a result, many technologies have been thrown together, creating a challenge.

"OWASP and organizations like that are doing a great job of evangelizing the cause for strong application security," said Brain Contos, director of global security strategy and risk management with McAfee.

Some companies want to take lessons learned on the Web side and apply them to mobile, he said.

"There is this massive chasm between network security and application security, and mobile, being a piece of that fundamentally, has a very quick catch-up time to mitigate [risks in] that front window," Contos said. "It's going to be a tough time."

About the Author

Rutrell Yasin is the senior technology editor of Government Computer News (


  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

comments powered by Disqus