Veracode launches mobile app risks top 10

Application security vendor Veracode is calling on independent standards bodies to put their weight behind its list of the top 10 mobile app risks to help drive the development of more secure applications.

The firm's Mobile App Top 10 List aims to do for mobile apps what the Sans Top 20 does for critical internet security vulnerabilities, by helping to boost awareness in the industry and drive out insecure applications.

The list covers malicious code intentionally put there by internal developers and third-party providers, as well as coding errors which can also lead to critical problems, according to Veracode chief executive Matt Moynahan.

Apple, Google and other mobile app platform vendors pay minimal attention to the security of the software sold from their app stores, Moynahan argued.

"Google and Apple are playing with their customers to some extent because they give their blessing to these apps but no-one actually wants to stop their proliferation because that would stop the platform growing," he said.

"There are only half a dozen checks Apple has on the iPhone list, and clearly Android is the Wild West when compared to the iPhone. There must be some consistency and accountability across these app stores."

As more smartphones and tablets are used in the corporate sphere, mobile apps increasingly represent a security risk to the enterprise, he added.

Moynahan said that he is "very confident" that a body like the Open Web Application Security Project or the National Institute of Standards and Technology will step in and approve the list as an industry standard, in order to "fill the vacuum in the mobile app space".

Rik Ferguson, senior security advisor for Trend Micro, broadly welcomed the plans.

"One of the few characteristics of mobile app development is that it's open to anyone, and there's lots of scope for coding errors," he said.

"There's also scope in Android for deliberate malicious activity, so something like this list certainly wouldn't do any harm."

Ciaran Rafferty, UK managing director at Sophos, argued that another way to solve the enterprise security risk posed by potentially dangerous apps is with solutions such as BlackBerry Balance, which allow users to switch between work and leisure profiles on the same phone.

In this way, IT admins can control a locked down enterprise profile with its own strictly vetted apps, which is completely separate from the consumer-focused profile where users can access their other applications.