Quickest way to defeat cyber security is to not engage it

by Steve Blum • , ,

Newsflash! Bad software development practices cause bad results. That’s the gist of a press release issued by Appthority, an IT security company specialising in the mobile enterprise sector.

What Appthority found isn’t a particular revelation. Developers will often hard code their own login credentials into apps while writing and debugging early versions, just to keep things simple. If they forget to remove that data before moving into beta testing and launch phases, it’s there for the taking. And exploiting.

And that’s what Appthority claims it found in hundreds of mobile applications, including “an app for secure communication for a federal law enforcement agency”.

The core problem is developer laziness. It’s tempting for a coder to take shortcuts while developing an app, with the sincere intent of cleaning things up later. Except later never comes. With apps often the work of a single person or a small team, quality control checks are sparse – a problem not confined to small shops, by the way. Right now, it’s up to the stores – Apple and Android, primarily – to do the final QC work. They’re effectively the last line of defence and I’d bet they’re taking a look at how they can better target this particular problem.

One measure they should consider is disbarring repeat offenders from their developer programs. It’s easy to make a mistake out of ignorance, but failing to learn from the experience is pure stupidity.

As far as high security applications go, it’s up to the end user to confirm that an app meets spec. A lack of IT talent and, even more importantly, work ethic is an increasingly worrisome problem at the federal level, at least judging by the most recent GAO report.

Appthority says that it notified the companies most involved, but there are still 170 affected apps “which are live in the official app stores today”. It didn’t release a list of the apps, though, so there’s no way of knowing whether any are sitting on your phone now.