Leave it to The Simpsons to encapsulate the prevailing zeitgeist of modern industrialized society in just 15 seconds of screen time.
In a scene from the show’s 12th season, Homer attempts to fix a wonky drawer in the living room end table by shoving a stick of lit dynamite inside of it.
“Homer, what are you doing?” Marge asks incredulously.
“Listen,” he says, “do you want the job done right or do you want it done fast?”
“Well, like all Americans — fast,” she replies.
The dynamite explodes. The drawer gets burned. But it no longer gets stuck when Marge pushes it back into the table.
“You can’t argue with results!” she says happily.
Absurd? Totally. Yet it illustrates today’s constant tension (in America and beyond) between doing stuff quickly and doing it correctly. That quandary certainly applies to mobile app adoption and development, according to a 2015 report by the Ponemon Institute.
“In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind,” institute founder Dr. Larry Ponemon wrote in the study.
“What they are not doing, however,” he concluded, “is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.”
In a survey of 400 organizations for the same study, 65 per cent “admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 per cent cite rush-to-release pressures as the primary reason why mobile apps contain vulnerable code,” Ponemon added.
Fast-forward to just a few weeks ago when Gartner research director Dionisio Zumerle tackled the same issue in a webinar called How to Protect Mobile Apps. Zumerle quoted another set of startling statistics, this time from Veracode: the average enterprise organization has more than 2,000 unsafe or malicious apps installed on its mobile devices.
As Zumerle pointed out in the webinar, however, mobile apps developed in-house aren’t immune to such risk, either. His view is bolstered by an Ovum study released in April. It found less than half of surveyed organizations had basic API security measures in place for in-house mobile app development. Perhaps even more worrisome, 27 per cent of them allow APIs to proceed through the development stage without any input whatsoever from their IT security team.
Mobile apps, it seems, are risky business. Here are some of the tips Zumerle offered for deploying third-party mobile apps — and developing in-house ones — securely:
- Keep score: vendors such as Pradeo, FireEye and Appthority not only test mobile apps for security vulnerabilities but also assign them reputation scores; this can help you quickly assess risk before adopting a third-party app or letting an in-house app go live
- Crack down: undo existing mobile apps with excessive permissions
- Get appy: focus on security at the app level instead of trying to lock down the actual devices
- Divide and conquer: keep your B2C and B2E mobile app security strategies separate
- Underline UX: try to improve usability at the same time as you harden security in your organization’s consumer-facing apps
- Don’t be PC: PCs and mobile devices are unique so don’t mimic a desktop approach to security in your mobile environment
As Zumerle summarized, enterprises are often caught up in “the trade-off between usability and security” when it comes to mobile apps. Although he made a strong case for preserving UX, the stats suggest security is truly lagging on the mobile front and must be boosted.
Otherwise mobile apps, like Homer’s dynamite, could blow up in your organization’s face.
Illustration courtesy of Free Digital Photos