Now that mobile apps have stopped being smaller, less power-hungry mobile versions of bigger desktop programs and are an industry in their own right, the field of techno-security has to expand in order to include apps.

While questions have been raised over the use of malware from some third party developers, especially on the Google Play Store, one of the biggest threats is due to poor security in the apps themselves.

Image source

Application security specialists Veracode recently published their analysis of the most popular mobile apps and found that many apps not only access confidential or even personal data, but they can publish this to unknown parties. Veracode’s Executive Vice President Sam King said, “91% of the top mobile apps unnecessarily expose a user’s personally identifiable information”. The head-on charge of the app market shows no sign of relenting any time soon, and the latest apps can still cause a big stir.  This means that in the whirlwind of progress, users can forget about the normal security rules they would usually obey, such as tailoring permissions or not accepting terms from distributors they don’t know.

Given now that many employers provide handsets to their employees, the risk is not only to personally identifiable information, but potentially sensitive corporate information.  Handsets that are employee-owned, frequently changed and used for both personal and business purposes are difficult to manage, employers may be able to protect their own PCs and servers, but not necessarily employee’s handsets.

Veracode’s SEO analyst Neil DuPaul noted in a blog, “The rise of BYOD (bring-your-own-device) friendly workplaces means employees are now downloading personal apps on devices that have access to corporate as well as private data. It is not uncommon for useful and seemingly harmless applications to be designed to perform tasks that are unrelated and unnecessary to the advertised function of the app.”

There is an argument to say that some of the blame for this lies with the users. Any device, from a telephone to a car should always be used while bearing in mind the negative consequences for improper or naïve usage. In the early days of the internet, scams were crude and widespread, but the lessons were long and hard learned. Even today, phishing scams are rife and Nigerian royalty are still seemingly sending out thousands of emails per day.

As the ‘app’ has only been in the public consciousness for five years or so, the rate at which it’s grown is astounding. It could well be that as users gain experience with their devices, they begin to catch up with the less-than-scrupulous developers and in ten years from now we’ll all know better than to allow open access to our data. Until then, Veracode have added mobile app intelligence to its security suite. MARS (Mobile Application Reputation Service) aims to help enterprises and official bodies against data leakage due to risky apps. When used in conjunction with Mobile Device Management or Mobile Application Management, it’s an attempt to make the BYOD environment safer for both users and employers.