Mobile development right now is fundamentally fragmented between a multitude of devices and a powerful ecology of vendors and platforms—on the cultural side, the rise of BYOD and personal connectivity has been a constant thorn in the side of corporate IT. Developers have found themselves in an odd place during this tug-of-war between employees and businesses, since both are customers of numerous apps and devices.
When it comes to providing appropriate security developers may find themselves out in the cold if their app doesn’t live up to standards.
Recently, I spoke with Domingo Guerra, co-founder and president of Appthority, about the best practices for developers interested in securing their mobile apps. He said that there are three major pillars of approaching security in mobile apps: (1) Remember that users don’t always use apps in safe environments; (2) any vulnerability in an app can be leveraged by a bad guy; and (3) there are tools available for developers to vet and pick 3rd party code, libraries, and SDKs.
Developers have a fierce marketplace to enter into and, as a result, it’s not uncommon for them not to have the time to vet all the libraries and SDKs they use to make sure their product makes it to market. This isn’t to say that most SDKs on the market are insecure; it’s that often their security isn’t enabled by default—or their security doesn’t extend between different circumstances. It might be true that a mobile library enables secure transactions on the phone; but might end up sending data in the clear across 4G or WiFi connections.
By connecting with Appthority, developers will find a suite of tools and the Appthority Platform can be integrated into their software development cycle to make it more likely they’ll not just make it to market, but their apps will be secure enough to be acceptable in enterprise environments.
With BYOD, Businesses More than Ever Regard Apps as Sensitive
In our discussion, Domingo said that most businesses are seeing Bring Your Own Device as only the tip of the iceberg and that it’s really more about Bring Your Own App. As I said above, enterprise businesses are becoming more concerned than ever about the security in the apps that their employees are using—especially those designed to be used inside the enterprise environment.
In July of 2012, Appthority released their App Reputation Report, and in that report the top 50 free apps for iOS and Android. “96% of apps on iOS and 84% on Android have access to one or more sets of information. In some cases apps will request permission before accessing this sensitive information.” The report did a very good job of highlighting how when users bring their own apps to the party they open their own personal devices up to being surveilled by less-than-secure software.
Developers might find themselves left out in the dark when enterprise IT departments deploy de facto bans against their apps for not being secure enough. Also, IT would like to know that what apps they’re bringing into their homes have enough security to keep their proprietary information safe from prying eyes—and in some enterprises this means more than just losing trade secrets or internal memos, it might cross health care concerns such as HIPAA and right into legal territory.
Appthority appears to be taking a two pronged approach to providing a solution to these issues. First, they examine and vet existing apps as to their behaviors–showing what they do and what risks they might pose so that enterprise IT can make safe decisions about apps in their gardens. Second, they are seeking to reach out to developers to let them know how to best prepare apps for enterprise environments, through best practices and access to tools to help vet the security of their applications.