Categories: SecurityWorkspace

HP Report Spotlights Mobile Encryption Risks

Many applications are misconfigured and most mobile apps don’t use encryption properly, according to Hewlett-Packard’s 2013 Cyber Risk report released on 3 February.

HP’s research shows that 46 percent of mobile apps don’t use encryption properly, Jacob West, CTO of Enterprise Security Products at HP, said. “That’s a really shocking number because there is such attention being paid today on keeping mobile data safe,” West told eWEEK.

Mobile encryption

Mobile developers now have the benefit of being able to learn from the security experience that the Internet industry has gained over the last decade in terms of best practices. Going a step further, many of the toolsets and frameworks that mobile developers use today typically have encryption capabilities built-in.

“We don’t see mobile developers having to roll their own encryption in an ad hoc way,” West said. “That’s an area where developers in the past always made mistakes.”

There are still problems with encryption because, typically, developers aren’t also security experts, West said. Developers face constant pressure to rapidly develop and deploy apps that also might be having an impact on security, he added.

Looking beyond just mobile apps, HP found that 80 percent of applications, in general, are misconfigured, which leads to insecure deployments.

“Even if developers build their code perfectly, and even if the initial configuration that comes out of development is secure, then there is still the opportunity for an operations person to alter the configuration and introduce insecurity that wasn’t present during the development and testing period,” West said.

West sees the application misconfiguration issue as a significant concern. More communication between developers and operations people is needed to mitigate the risk, he said. The operations people need to be more aware of the way applications are built and need to be properly configured, and developers need to make sure that operations people don’t get the opportunity to introduce risks that aren’t necessary, he advised.

One of the many activities undertaken by HP’s security division is the Zero Day Initiative (ZDI), which buys vulnerabilities from researchers. ZDI then uses the information to build protection and also responsibly discloses the information to the affected vendors.

In 2013, ZDI had more vulnerabilities submitted against Microsoft’s Internet Explorer web browser than any other single product, including Oracle’s Java. In January, Cisco’s 2013 security report pointed the finger at Java as being the culprit for more than 90 percent of compromises in 2013.

Internet Explorer’s dominance – as the technology with the most submissions to ZDI – is curious, West said, particularly since IE’s share of the browser marketplace has eroded in recent years as Google’s Chrome, Mozilla Firefox and mobile browsers have increasingly become popular.

So why is IE such a popular target? The profile of IE users could be a factor in its vulnerability, West said. “These are the users that adversaries are going after; they tend to more likely be in business environments,” West said. “IE is the most prevalent browser on the systems that attackers want to compromise.”

Are you a security pro? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago