SAN FRANCISCO – Companies that are hoping to catch a ride on the mobile wave should pay close attention to the application development firms they choose to work with, unless they want to be saddled with a buggy and insecure albatross bearing their corporate logo, a leading application security expert warns.
“If you thought the Web development world was crazy five years ago, this is five times as bad,” said Chris Wysopal, the co-founder and Chief Technology Officer at Veracode in an interview with Threatpost ahead of the annual RSA Security Conference in San Francisco. “It’s really a Wild West out there.”
The question of securing mobile devices looms large here at RSA, where security experts will tackle aspects of the issue in more than 20 sessions during the five day conference.
Even putting aside concerns about the ability of cyber criminals to infiltrate mobile marketplaces like the Android Market, Wysopal said enterprise concern about the security of mobile applications is well placed. Mobile application development is experiencing a Gold Rush, with novice developers streaming into the space hoping to score well paying jobs and, maybe, make their mark with the next Angry Birds or DoodleJump. Often, these are novice developers just out of school, Wysopal said.
“The people building these apps, this may be their first experience doing application development. They’re right out of school, they took a class in Android or iOS development and now they’re out in the market commercially building applications for large enterprise,” he said. “If i were in the enterprise, I’d be concerned about the apps you’re having other people build you.”
Novice developers often lack knowledge of secure coding practices, and might bundle in different libraries without a full understanding of their purpose or capabilities, Wysopal said.
Much of the early development has been focused on entertainment and personal productivity, Wysopal said. But that is changing as smart phones and tablets become more deeply enmeshed in the office environment, Wysopal said. In the months ahead, more firms will begin looking for ways to tap into the business market with mobile applications geared to the enterprise, especially in verticals like health and finance.
Wysopal said he expects device and platform vendors like Apple and Google will have to do a better job vetting applications offered through their application exchanges. Recent controversies over the introduction of malware into the Android marketplace as well as undocumented behaviors in the mobile version of the Path social networking application will force changes, Wysopal said.
“They’re going to have to. This will be a customer demand.”
Listen to the full Threatpost interview with Chris Wysopal of Veracode in this Threatpost podcast.