App Software Vulnerabilities

4 ways vulnerabilities seep into app software

In a world where smartphones are ubiquitous, app software defines the quality and security of our mobile experience. The proliferation of these apps has made mobile usage more convenient, more fun and more comprehensive than ever before.

But it would be folly to think that mobile apps are foolproof. Gartner has predicted that over 75 per cent of mobile apps would fail basic security tests in 2015.So what are the main reasons for these vulnerabilities, and what can we do about them? We have picked out the four most important ways that app software can become vulnerable to attack. Taking steps to rectify these issues will go a long way towards stamping out these weaknesses.

1. A constantly changing threat landscape

The mobile threat landscape is a rapidly evolving one, and shows no sign of letting up. No longer can Android or even iOS be considered relatively untouched by the curse of malware. Threats including MazarBOT, Acecard and XcodeGhost, alongside operating system bugs such as the Stagefright and Heartbleed vulnerabilities, are just a few examples.

Indeed, Symantec’s Internet Security Threat Report 2016 has revealed a 77 per cent year-on-year increase in the number of new Android mobile malware variants. This demonstrates that hackers are getting savvier: they’ve already worked out the best malware families to use to exploit vulnerabilities, and are now refining their craft.

2. Insecure coding practices

With app software representing an ideal opportunity for companies to show innovation and steal a march on their competitors, software developers are often under a lot of pressure to deliver a product speedily. As a result, corners are often cut, and nipping any security vulnerabilities in the bud takes lower priority. This reduced focus on security can be explained by a general lack of awareness of its importance amongst high-level executives at organisations. A report by PwC has shown that only 40 per cent of boards request cyber-readiness information at least once a year, and only half have an active cyber-incident response plan in place.

It’s time that these barriers between decision-makers and development teams were broken down. Through closer collaboration between these teams, security assessments can be made a more important part of the development process, becoming better integrated and enabling development teams to have more of a say on when an app is secure and ready for use.

3. Using components but not heeding the risk

As part of a need to produce software in the face of tight deadlines, developers often make use of pre-built open source software components and code. On the surface, this can make for a more expedient development process. However, bugs such as Heartbleed and Shellshock have exposed serious vulnerabilities that can increase the chances of a breach. To keep these risks in check, businesses and developers need to redouble their efforts to be vigilant, by making use of technology to keep tabs on components and any vulnerabilities they may have.

4. Programming language choice

What’s crucial for development teams to realise is that the programming languages they use can be prone to different types of vulnerabilities. This is especially relevant for mobile, with research showing that all mobile apps have a much higher rate of cryptographic issues compared to web applications, with this figure standing at 87 per cent for Android and 80 per cent for iOS. Again, being extra vigilant here is key: by understanding the strengths and weaknesses of each programming language, app development can be tailored accordingly. 

Alongside these best practices, implementing specialist software that protects your apps from malevolent intrusions can make a huge difference. Software such as Promon SHIELDTM acts as both a short-term solution – by plugging the holes caused by current vulnerabilities – and a long-term one, by securing apps against future threats that can defy even the tightest of security strategies.