Are your enterprise apps secure? Do they have vulnerabilities that could expose confidential corporate data? Are iOS apps harder or easier to secure than Android apps?
There is not much data out there on these matters, certainly not about mobile app security in a world where developers are frequently asked to support multiple platforms. It’s pretty easy to find surveys of IT and security professionals about app risks generally, or to find statistics about the prevalence of malware in app marketplaces. But the opinions of actual, active developers? Not so much. That’s why we at BlackBerry’s Center for High Assurance Computing Excellence (CHACE) have conducted a new study of the BlackBerry developer community, including attendees of the BlackBerry Developer Summit, and subscribers to our BlackBerry Enterprise Apps Newsletter.
One of the suggestions we have heard for why vulnerabilities are left in apps is that developers may not be as aware of security assurance practices as they should be, or don’t prioritize them. So we asked developers to rate the importance of the following security practices: code reviews or audits, automated security analysis tools, use of formal security requirements, and security or pen testing. At least 73% of the group rated each of these practices as “somewhat important” or “very important”. The top ranked security practice? Security or penetration testing. Whether they practice them vigorously or not, the developers seem to know them and value them. And lest you suspect that developers think everything is important, only about 44% felt app wrapping was to some degree an important security assurance practice.
A hot-button question is whether iOS apps are easier to secure than their Android counterparts. Regardless of what you think of the security of the platforms themselves, you might expect that many app security concerns will be common regardless of platform. For example, ensuring the security of sensitive data when in transit to back-end cloud services. But when we asked developers if they thought iOS apps were harder to secure than Android, over 40% disagreed, and only about 20% of them agreed.
Beyond platform differences, we wanted to know if developers thought containerization solutions such as BlackBerry Dynamics made app security easier, so we asked them if apps on iOS and Android were harder to secure without containerization solutions. For iOS, responses were nearly equally distributed between “harder”, “not harder” and “neutral”. However, for Android, containerization was generally looked upon as being more helpful: 50% of the developers felt it was harder to secure Android apps without containerization, and only 18% disagreed that Android app security was harder without containerization.
The results are interesting because you would think containerization solutions can help with app security on iOS as well as on Android. For instance, OWASP advises iOS developers that iOS mobile apps commonly have insufficient transport layer protection for sensitive data, but BlackBerry Dynamics provides Secure Communications APIs to simplify ensuring the safety of data in transit.
Overall, BlackBerry’s enterprise app developers appear to be well set up for secure app development: they have a strong sense of the importance of successful security assurance practices, and feel that containerization solutions are helpful in securing Android apps. If you would like to contribute your thoughts and opinions, you can take the survey yourself online. The survey has plenty of places to provide extra commentary too: we would love to hear your thoughts.