75 percent of mobile apps will fail security tests through end of 2015, according to Gartner.
75 percent of mobile apps will fail security tests through end of 2015, according to Gartner.

The bulk of mobile applications (75 percent) will fail basic security tests over the next 15 months or so – through the end of 2015 – leaving businesses vulnerable to attack and violations of their security policies, according to a report from Gartner.

Enterprises are increasingly embracing BYOD – with more than 90 percent of enterprises using third-party commercial apps – and mobile computing is becoming an integral part of the way companies do business, according to Gartner's findings. However, the apps that employees download from app stores as well as the mobile apps that can “access enterprise assets or perform business functions,” don't come with security assurances.

“As these apps grow in popularity and business-criticality, they become an increasing focus for the bad guys,” Sanjay Beri, founder and CEO at Netskope, told SCMagazine.com in an email correspondence Wednesday. “Many factors – unprecedented cloud app growth, increased mobile access of cloud apps and the ability to freely share data from cloud apps – create multipliers that increase the probability and expected economic impact of a data breach.”

He explained that “most security tools in the market are built to support web access from on-premises. In other words, they are built to solve yesterday's problem.”

Indeed, in a press release, Dionisio Zumerle, principal research analyst at Gartner, said that companies will remain “vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance.” But most lack experience in application security. And, “even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security,” he said.

As application security testing (SAST) and dynamic application security testing (DAST), which have evolved over the last six to eight years, continue to mature, vendors will tweak them to address mobile applications, Gartner predicted.

In a Wednesday email correspondence with SCMagazine.com, Patrick Harding, CTO at Ping Identity, explained that while the first level of security is about absolute control, encrypting data at rest on a phone or remote wiping, the second level is at the application level. “Enterprises are using modern identity standards like OAuth 2.0 to ensure that mobile devices never cache user credentials,” said Harding. “Instead, each application redirects the user to a central location within the enterprise to authenticate and returns only an "access token" to the application. That token is very limited and if it is stolen it cannot be used for any other purpose.”

Gartner noted that a new kind of test, called behavioral analysis, is coming to bear for mobile applications. In that type of testing, a running application is monitored to “detect malicious and/or risky behavior exhibited by an application in the background.”

Gartner noted that simply testing the client layer of a mobile app is not sufficient. In addition, the server layer must be tested – using DAST and SAST on code and user interfaces – since mobile clients communicate with servers to gain access to company applications and databases. By not protecting a server, companies open themselves to the risk of losing data, housed in the databases, on what could amount to hundreds of thousands of users.

By 2017, Gartner expects the focus of endpoint breaches to shift to tablets and smartphones, noting that “already there are three attacks to mobile devices for every attack to a desktop.” The majority of the breaches, 75 percent, through the end of that year, will occur as a result of misconfiguring mobile applications, such as the misuse of personal cloud service through apps on a smartphone, “rather than the outcome of deeply technical attacks on mobile devices.”

[An earlier version of this story incorrectly noted Patrick Harding's last name as Hardy.]