The Stack Archive

An end to ‘Here today, breached tomorrow’ mobile crapware

Mon 28 Sep 2015

It’s time for businesses to grow up. Harsh words, perhaps, but true.

The rapid evolution of wireless communications, largely driven by the mobile industry, has made the world we live and work in an anywhere, anytime environment. The usage of applications across mobile devices has significantly transformed end-user expectations about digital communications, applications, content and commerce. Enterprises without a mobile strategy risk being left behind by their competition; those with existing or new mobile applications have a duty to be aware of the vulnerabilities living within their application.

Digital transformation is driving many businesses to change their application development models and IT architectures to satisfy the agility demands of their business stakeholders. For businesses competing in lucrative market spaces, being the first to market and having the ‘best’ mobile application helps them stand out from the crowd. The rapid growth and demand for mobile apps results in fast-paced application launch schedules, with enterprises often releasing mobile apps that satisfy the immediate needs of a customer but lack the required quality and care in the development of the apps – harming the long-term relationship between brands and buyers.

At the developer level we’re looking at the kind of software quality that basically amounts to hygiene

According to analyst firm IDC, 94% of large enterprises have either implemented or will implement some form of mobile application development platform. But are they ready to do this? For mobile applications to be successful, they can’t afford to be thrown together in a patchwork fashion with existing enterprise applications and platforms. It opens the door to cyber attackers, and makes the applications nearly impossible to maintain on an ongoing basis, introducing weaknesses that decrease the availability of core enterprise systems linked to the new mobile applications. This is not theory; we’ve seen this kind of snafu happen time and time again across the UK, particularly mobile banking apps for institutions such as Natwest, RBS and Santander.

Breaking bad habits

With the number of enterprise mobile applications set to quadruple by 2016, mostly driven by competitive necessity and rapidly evolving technologies, businesses are currently stuck in a mindset of ‘get it out now,’ focusing on the speed and agility of the mobile application. Key considerations like robustness, foundational security and efficiency are often given short shrift. Speed and agility can be achieved, but there must be a balance between the technical design and an understanding of the customer experience.

Analysing and measuring the quality of mobile app software

One way to improve the quality of applications, be they mobile or enterprise, is to automate the analysis of the software and coding on the application, as well as examining the multiple layers of complexity presented by different components. For example, a new mobile application may need to work seamlessly with existing legacy user interfaces. However too often, different teams manage them, each making their own “silo” work as well as it can. Injecting new elements, where mobile applications access services from around the infrastructure, comes with its own risks to each component. Such risks may cause the new code element to not perform as advertised or desired, creating chaos that sees users and market share disappear.

The automated analysis of code at the whole transaction level can rapidly identify potential challenges and vulnerabilities facing the mobile application, enabling developers and IT staff to solve them and head off problems before they get worse. By doing so, it gives businesses the winning edge when competing in a lucrative and fast-evolving market.

Getting the message across to the team

Education of both engineers and non-technical stakeholders should be at the forefront of this effort. Businesses must communicate with peers about the direct link between software quality and security. These days, whoever is responsible for the creation and launch of a mobile application is charged with ensuring the quality of the code. If not, they place the reputation of the organisation at risk and should be held accountable when a glitch occurs, such as security vulnerabilities caused by poor coding or system architectural decisions.

The sheer cost of application downtime that can run into millions of pounds in lost sales at larger organisations

This is an important point: Attention to software quality by developers is paramount, but at the developer level we’re looking at the kind of software quality that basically amounts to hygiene. It’s important to have a structural view of quality across all of the system’s components and transactions, to find the kinds of issues we’re seeing in play today. This end-to-end analysis of software results in the ability to identify reliability, performance and security issues, which is far more involved than just basic software hygiene.

To further the education and adoption of software quality and security, significant new standards have been developed in the industry to help developers and enterprises consistently measure the quality of their software. The Object Management Group (OMG) recently approved a set of global standards proposed by the Consortium for IT Software Quality (CISQ), which helps companies quantify and meet specific goals for software quality. CISQ’s measurement standards include security, reliability, performance and maintainability. This allows businesses to ‘certify’ the quality of their codebases and gives the added benefits of having a standard measurement for any outsourced code quality and making it easier to be reviewed by non-technical stakeholders. It also helps to reduce the level of unexpected delays to releases, and allows for software quality standards to detect critical violations of good architectural and coding practice in software.

Why do businesses need to grow up?

Due to the nature, size and complexity of software, it is almost impossible to completely protect it from disruptions and breaches. Understanding the importance of a secure architectural foundation and insisting that developers comply with industry standards will be the first step to ensuring the highest quality of software development on the mobile application.

The sheer cost of application downtime that can run into millions of pounds in lost sales at larger organisations; the loss of reputation among customers, who are increasingly having their choice of any number of services, can’t be ignored. In other words, if the customer is presented with a badly developed mobile application, they are going to get frustrated and are less likely to come back. Businesses need to grow up and bring an end to the mindset that inevitably leads to ‘Here today, breached tomorrow’ mobile crapware.


By Lev Lesokhin, EVP, Strategy and analytics at CAST Software


developers feature security
Send us a correction about this article Send us a news tip