Mobile applications can't perform well unless they're built on a rock-solid foundation. But practical mobile application security measures, such as good mobile device management and stored data encryption, can mitigate the risks of mobile app delivery.
Ultimately, mobile applications can be only as secure as the foundation on which they are built -- the mobile devices and operating systems on which they run. So it's imperative to understand the inherent risks associated with mobile devices, the native security measures built into mobile operating systems and best practices for mitigating mobile application security risks.
Lost or stolen smartphones and tablets pose significant risk. Phone theft is rampant, representing 14% of major crimes in New York City last year, as well as 38% of robberies in Washington, D.C. Employers are right to be concerned, since forensic analysis of resold devices can often recover some of a previous user's data. If no security is applied, a lost or stolen device can easily lead to a breach of stored business data, including email messages, contacts, customer records, passwords and more.
More on mobile application security
Malware and lost devices top mobile phone security threats
Facebook Home heightens mobile data security concerns
Mobile application security best practices
Moreover, missing mobile devices enable intrusion into corporate networks and services. A smartphone configured for corporate email, Wi-Fi or virtual private network access can be an unlocked back door into otherwise secure systems, bypassing perimeter security. While the same can be said for laptops, users lose smartphones and tablets far more often. They almost always contain saved passwords and are less likely to verify user identity with two-factor authentication.
These mobile application security and network risks are exacerbated by mobile malware. According to Nielsen, the average U.S. smartphone has 41 user-downloaded apps. While most apps come from reputable sites such as Apple's App Store and Google' s Play Store, mobile malware is growing fast, especially for the open source Android OS. Even legitimate apps often have access to sensitive data and services such as contacts and location. A device running a malicious or overly inquisitive app, combined with access to corporate data, networks or services, poses substantial business risk.
In fact, malware spreads by exploiting mobile OS and application vulnerabilities. Mobile ecosystems lag well behind established desktop/laptop patch infrastructure. When malware writers find a new Android bug to exploit, a fix must work its way first through Google, then through device manufacturers and then through cellular network operators before being offered to mobile users. As a result, IT has little insight into and no effective control over mobile application security vulnerability management.
Finally, perhaps the biggest risk of all is the human hand holding a smartphone or tablet. End users often ignore suggested updates, permission warnings and passcode prompts. According to the Information Defense Corporation, 71% of chief information security officers say that mobile devices have contributed to security incidents, largely due to careless employees who lack security awareness. User behavior poses an even greater risk given the undersecured, mixed-use bring-your-own-device trend.