This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Blogs » Security Blog » When Pop Culture Drives Mobile App Development, What Happens to the Security of User Data?
Carl Herberger is the Vice President of Security Solutions at Radware, a leader in application delivery and security solutions that assures the availability, performance, and resilience of business-critical applications for over 10,000 enterprises and carriers worldwide. A recognized information security expert, Herberger draws on his extensive information security background in both the private and public sectors. He began his career in the U.S. Air Force as a computer warfare specialist at the Pentagon and managed critical operational intelligence programs aiding both the National Security Council and Secretary of the Air Force. Herberger founded Allied InfoSecurity and held executive security positions at BarclayCard US, SunGard and Campbell Soup Co.
Cyber Security News

When Pop Culture Drives Mobile App Development, What Happens to the Security of User Data?

apps_enews
October 22, 2015
Carl Herberger
KEYWORDS cyber crime / security apps
Reprints

Today, mobile apps are as ubiquitous as beer, music and fashion. In fact, they are so popular that they now define how we as a culture communicate new trends and participate in fast-moving memes.  However, like a viral infection, mobile applications, if kept unsanitary, have the potential to spread protected user data across the internet with the same public exposure as the celebrities those users idolize.

First let’s set the stage:

                Mobile Apps = Pop Culture (and more)

                Pop Culture = Volume (fans, apps, speed of adoption) and Income

                Volume and Income = Incentive for Attacks

Let’s review these concepts above in action:

Mobile Apps = Pop Culture (and more)

According to VentureBeat, mobile applications are already a $40B industry and can grow to $70B by 2017 (see image) without a single industry profoundly affected by this growth.

sectorrevenue

 

Consumers use mobile apps to support every part of their lives, from ordering pizza to tracking their exercise routines, to managing their money. The consumption and sharing of popular culture is no exception. Likewise, when celebrities race to release mobile apps that engage and communicate with their fan base, people adopt these apps and incorporate them into their daily lives. Pop culture sensations, the Kardashians, recently released mobile apps to engage with their fans with unmitigated success.

If you are not familiar with this particular Mobile App’s business model, they're effectively Web TV channels for each sister, featuring videos, diaries and a variety of lifestyle content.

In fact, Apptopia, a firm specializing in Mobile App usage, estimates that more than 1.5 million people downloaded Kylie Jenner’s app in the first five days. That's well ahead of 398,000 downloads for Khloe Kardashian, 362,000 for Kim Kardashian, and 216,000 for Kendall Jenner. Moreover, an analysis shared with CNNMoney by Apptopia shows that Kylie's app could make $15 million in its first year as each app costs $3 a month.

Pop Culture = Volume (fans, apps, speed of adoption) and Income

So how popular are Mobile apps in putting things into perspective? Well, not quite as popular as beer – yet! (See graphic below or here.) However, according to forecasted projections, Mobile Apps will close in on surpassing the beer industry sometime by 2019-2020.

 

beerchart

But what are the dangers?

The Kardashian/Jenner Mobile Apps were brought to market in record speed – so quickly that they launched with a misconfiguration leading to some highlighted flaws in Apple’s Mobile App store. These flaws are not really easy to uncover because they are not exploits from known vulnerabilities (which are far more easily enumerated and cataloged). However, this design flaw exposes protected user data to anyone that can discover it – basically creating a huge vulnerability in the app’s security and a huge liability for the Kardashian/Jenner family.

By exposing the flaw in the design of these apps, we have identified a challenge well beyond the popularity of the Kardashians. Often the decision to bring an app to market is determined based on the desire to capture market share, disrupt an existing market, or – in the case of celebrity – to capitalize on an emerging trend. These priorities will drive a development team to rush to market – unfortunately, with rush there is inherent risk.

No matter how secure a company typically is, they need to take a step back and remember that protecting their users should be the top corporate responsibility on their list. Clearly there is an obvious tug-of-war between speed-to-market and security in the application space. However, a quickly selling Mobile App is a Pyrrhic victory if in the pursuit of speed to market a rushed vulnerability destroys the very delivery infrastructure built to support it.

Volume and Income = Incentive for Attacks

Clearly we understand that Apps, which conduct commerce, will always be rife for attacks. We also understand that Mobile Apps which house important information (like user emails, phone numbers, credit card data, Social Security numbers, etc.) that can be commoditized are also highly risky for cyberattacks. However, is it well understood that high volume or highly popular Mobile Apps are equally or maybe more desirable then the first two Mobile App Characteristics as they allow an attacker to achieve scale and scope.

Widely deployed apps can easily be used, in conjunction with automated software programs, DDoS tools, Advanced Persistent Threat vectors and malicious code infiltration resources. Simply said, Mobile Apps like the Kardashians’ and Jenners’ make perfect platforms for nefarious actors to conduct their seedy operations in a more obfuscated manner.

So, given that, here’s a quick punch list of things which should make you feel comfortable about a Mobile App’s security:

  • The Mobile App’s End User License Agreement (EULA) documentation provides you with certain rights as an end-user for data privacy and restitution of grievances caused you by the site.
  • The Mobile App’s activation process explains how the data will be used and stored and why it is being requested. In addition, the process should detail what elements of phone will be used in providing the Mobile App service – such as location and contact list information.
  • Strong authentication. If the Mobile App doesn’t support strong authentication then it is a weak application. What is strong authentication – it’s combining any two (or more) of the following data as part of your authentication into the application:
    • Something you know (e.g. Password)
    • Somewhere you are (e.g. geo-location against a predetermined knowledge of where you SHOULD be)
    • Something you have (e.g. a physical key or device which aids in authentication when used in combination with other data)
    • Something you are (e.g. biometric data)
  • Does the Mobile Application address platform security risks, including keychain on iPhone (option to store passwords) and access to payment applications?
  • Review the Data at Rest processes and procedures. For example, do they enable permanent deletion of user data? Is the data stored in an encrypted format always? What type of encryption?
  • Review the Data in Transit. Is the Mobile Application using current encryption algorithms such as TLS 1.2 and avoiding transmitting sensitive user data over insecure WiFi networks?
  • Does the Mobile Application authenticate non-human interactions such as APIs and legimate bots?
  • Does the application provide you with options to access current security tools to conduct routine assessments of the Mobile Application’s current security status?
  • Does the Application maintain any industry-level security certifications such as PCI or routine scans visible to the public?

In the end, we must acknowledge that Mobile App hacks are an eventuality and information security is a life-long session of cat and mouse games. Human desire to usurp is matched by an equally powerful motivation to secure. So which one wins?  The one we pay more attention to.

Blog Topics

Security Blog

On the Track of OSAC

Recent Comments

Insufficient information

Thankyou so much for sharing such an informative...

I just wish my mechanical lock had a...

security

Security

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Carl Herberger is the Vice President of Security Solutions at Radware, a leader in application delivery and security solutions that assures the availability, performance, and resilience of business-critical applications for over 10,000 enterprises and carriers worldwide. A recognized information security expert, Herberger draws on his extensive information security background in both the private and public sectors. He began his career in the U.S. Air Force as a computer warfare specialist at the Pentagon and managed critical operational intelligence programs aiding both the National Security Council and Secretary of the Air Force. Herberger founded Allied InfoSecurity and held executive security positions at BarclayCard US, SunGard and Campbell Soup Co.
Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

cybersecurity-blog

European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing