IBM: Mobile app security stinks

Major weaknesses in mobile application development make enterprise data vulnerable to attack.

That was the major conclusion from an IBM/Ponemon study released today which found large companies, including many in the Fortune 500 aren't properly securing mobile apps they build for customers nor their corporate and BYOD mobile devices. (Read the entire study.)

+ More on Network World: The 10 most common mobile security problems and how you can fight them +

The study which researched security practices in over 400 large organizations found:

• 40% of large companies aren't scanning the apps that they build for customers for vulnerabilities, creating enormous windows of opportunities for cyber criminals.
• The average company today tests less than half of the apps they build for security flaws.
• 33% of organizations never test their mobile apps before putting them on the market.
• During the creation of mobile apps, end user convenience is trumping end user security and privacy. According to the study, 65% of organizations state the security of their apps is often put at risk because of customer demand or need, and 77% cite "rush to release" pressures as a primary reason why mobile apps contain vulnerable code.
• Of the companies that actually do scan for vulnerabilities before deploying apps to the market, only 15% of them test their apps as frequently as needed to be effective.
• Among the organizations, each spent an average of $34 million annually on mobile app development. Of this tremendous budget, however, only 5.5% is currently being allocated to ensuring that mobile apps are secure against cyber-attacks before they are made available to users.
• A full 50% of companies devote no budget to security.
• There is a dearth of trained and expert security professionals. Only 41 percent of respondents say their organization has sufficient mobile application security expertise.
• Organizations lack policies that provide guidance on employees' use of mobile apps. The findings reveal most employees' are "heavy users of apps", but 55% of respondents say their organization does not have a policy that defines the acceptable use of mobile apps in the workplace.

"Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data," said Caleb Barlow, vice president of Mobile Management and Security at IBM in a statement. "Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks."

+More on Network World: What advanced tech will dominate your car by 2025? IBM knows+

At any given time, malicious code is infecting more than 11.6 million mobile devices opening up a large new world of data for cyber thieves to raid. According to IBM X-Force research, in 2014 alone, over 1 billion pieces of personally identifiable information were compromised as a result of cyber-attacks.

The also study noted that the upward trend in mobile cyber thievery is compounded by the blurry line between professional and personal mobile use.

"A significant majority of organizations 67% - allow their employees to download non-vetted apps on their work devices. By rooting a BYOD or corporate device through the many security flaws which exist in unsecured apps, hackers can easily access sensitive files and documents, personal data, or hijack a device's camera or microphone to spy on business meetings," the study found.