50% of mobile app developers are allocating zero budget to the security of their built apps, research by IBM and the Ponemon Institute shows, and organisations on average spend a mere 5% of their budget on app security. As speed-to-market and user experience are prioritised over app security, a third of organisations never test their apps for security. The ones that do, test less than half of their apps.
IT giant IBM, together with the Ponemon Institute, recently released research into the state of mobile application security for which it surveyed over 400 large organisations operating in industries which work with highly sensitive data, such as in financial services, health and pharmaceutical, the public sector, entertainment and retail. The research reveals major security flaws in the ways which most organisations build and deploy mobile apps for their customers.
The organisations surveyed spend on average $34 million on mobile app development every year. Of this budget, only 5.5% ($1.87 million) is spent on securing these apps against security breaches and 50% of organisations do not allocate any budget towards app security.
With more than 1 billion personal data records compromised in 2014 and 11.6 million mobile devices affected by mobile malware at any given time, this lack of investment can pose serious threats to mobile app users. When asked about the lack of budget allocated to app security, 65% of organisations state that the security is put at risk because of customer demand or need, and 77% cite “rush to release” pressures as a primary reason why mobile apps contain vulnerable code.
As a result of this prioritising of end user experience and speed-to-market over end user security and privacy, 40% of organisations do not scan their mobile apps for security vulnerabilities and 33% never test the security of their apps, creating an excess of entry points for hackers to tap into business data via unsecured devices. The organisations that do test their apps, only 15% of them test their apps as frequently as needed to be effective, the rest does this infrequently and on average only tests less than half of the apps they build.
According to Caleb Barlow, Vice President of Mobile Management and Security at IBM, companies should to start thinking differently about security. “Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data. Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks.”
This is the second research on app security published by IBM in a short period of time. Just last month, the firm highlighted the vulnerability of dating apps and showed that 63% of dating apps are vulnerable to hackers as they have access to additional features on mobile devices.