barrichello87 - Fotolia
Only 3% of the top 200 iOS apps installed on enterprise devices worldwide have fully implemented Apple’s coming data encryption requirements, research shows.
In June 2016, Apple announced that App Transport Security (ATS) will become a requirement for new App Store apps from 1 January 2017.
With less than a month to go before ATS becomes a requirement, researchers at enterprise threat protection firm Appthority found just six of the 200 top enterprise iOS apps conform to ATS.
“Appthority researchers found that the majority of apps in the enterprise don’t fully utilise the best practices encryption standard, which should be a concern to enterprises,” said Robbie Forkish, vice-president of engineering at Appthority.
“The new ATS mandate only applies to new submissions to the App Store, and Apple will be allowing exceptions to ATS, so, while the requirement should strengthen data security, there will still be iOS apps not using data encryption in enterprise environments, even after 1 January 2017.
“For this reason, it’s incredibly important that businesses have visibility into, and management of, the risks related to apps with these exceptions, as they can put enterprise data at risk,” he said.
The research also revealed 55% of apps in use by enterprises allow the use of HTTP, instead of requiring HTTPS, while 83% had ATS disabled for all network connections and 26% had ATS disabled at a global level, with specific exceptions set up for domains.
Read more about mobile security
- Nearly one-third of Android devices in enterprises today are running version 4.0 or older of the operating system, leaving them highly susceptible to vulnerabilities, a study shows.
- Experts told the CW500 Security Club how mobility brings new challenges to security departments and an opportunity to go beyond building walls around the enterprise.
- For all the benefits of supporting mobility in the enterprise, it has also introduced one of the biggest challenges for IT pros today: safeguarding the flow of confidential data.
- Traditional security does not always work for mobile as mobile operating systems are different to those on PCs, says MobileIron’s Mike Raggo.
According to Appthority, existing apps that do not comply with the ATS mandate will not be removed from the App Store, which means enterprises will have to continue to be vigilant about apps in their environments.
The research is aimed at explaining the technical requirements of ATS, the mechanisms Apple is providing for acceptable exceptions, and what ATS does and does not do to help app security.
James Lyne, global head of security research at Sophos, has warned that insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers.
A lot of emphasis is placed on the millions of mobile malware samples being detected, but he said insecure apps could represent an even greater threat.
“Programming practices are pretty bad, despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly in February 2016.
Lyne, who conducted an analysis of 1,000 top apps focusing on encryption, data transmission, authentication and data storage, said it was “quite shocking” how many applications, including large brands, fail to make use of the security features available on mobile devices.