Thousands of consumers are opening themselves up to serious security risks because they don't regularly connect to Wi-Fi, mobile security firm Codified tells Techworld.

Codified Security, which provides automated security tooling in the mobile space, found that the vast majority of FTSE 100 businesses have insecure apps available for download. Only four of the top 100 were found to be adequately secure – and the emergence of good 4G coverage means far fewer users are frequently connecting to Wi-Fi, the default for apps to update and plug holes in the security.

Image credit: Flickr Creative Commons/Cory Doctorow
Image credit: Flickr Creative Commons/Cory Doctorow

According to Codified Security cofounder Martin Alderson, this is leaving customers wide open – especially with the amount of sensitive information contained on our devices.

"The default is pushed by the network carriers because they would have such high data usage if that wasn't the default," Alderson explains. "It's an unfortunate default because a lot of people don't connect to Wi-Fi very often – and that means they're not getting security updates at all for these applications. That's something the industry really needs to look at."

It probably doesn't help that public Wi-Fi has a notorious reputation for being insecure, meaning many people will connect only to trusted networks such as in the office or at home. But in some cases, rarely those either.

"It can often be days or weeks before somebody connects to Wi-Fi, and that's quite a long time in security terms."

The counterexample is the PC: Microsoft for example was well known for Patch Tuesday, the second Tuesday of each month when it used to roll out security updates to Windows customers. Now it installs these as and when they're needed. But PCs are usually connected by Wi-Fi or LAN, so this is less of a problem.

But there is a disparity between how security is understood through the lens of a PC and through mobile. It's old news that computers are vulnerable and prone to infection – but smartphones are arguably tied even closer to the identities and personal finance of their users, and are almost always on.

"Before, security was definitely important – but maybe not the end of the world, in terms of your bank account details probably wouldn't get hacked," says Alderson. "But Apple Pay and Android Pay are being pushed very heavily, and I think app developers need to start realising that people are putting credit cards on their phones – these could be the only cards they've got, and they could have a lot of money on here."

"That's really changed the dynamic from security being important but nice to have – not a phrase I'd use – to becoming absolutely essential because there's so much personal and financial information on our phones."

Alderson believes that the market will catch up to this eventually as access through mobile apps becomes the de facto mode of operating for a large number of customers.

But a serious problem is with the legacy apps that are still available for download across the various app stores.

"A key takeaway is that a lot of people have apps that haven't been updated in a while, and some of these legacy apps are riddled with really bad security vulnerabilities," Alderson explains.

"Often you'll see if a company has multiple apps, maybe their flagship app has been penetration tested quite well, but a lot of the other ones haven't at all – and these still contain their brand, and personal information, and that kind of stuff."

The industry as a whole needs to get its head around the app update cycle, but it's something that the biggest telcos in particular might struggle with until more spectrum is made available.

"If we change the default overnight, they'd probably see their data usage go up by two or three times," Alderson says. "That would probably completely congest their networks. Until we've got more spectrum availability on mobile networks I don't think that will be changed in the near future – but it should be."

An alternative could lie in a consumer awareness drive from manufacturers of the OS or of the devices to alert users more clearly that there is a great security risk if apps are not updated. "They don't really articulate the security risk of not updating – they just say there's an update available, which is not as interesting, I think," Alderson says.

There are some big players looking towards Codified Security, currently under NDA, and the five-person company was recently accepted into Cylon, Europe's BAE-backed cybersecurity accelerator. Alderson says he and cofounder Marcus de Wilde noticed about a year ago that the security of mobile was far behind web and backend databases, and the customer feedback has suggested that this is the case.

"We quickly realised a lot of the tasks we were doing were completely automatable, so we built a cloud-hosted platform that allows people to upload their apps quickly and easily," Alderson says. "They get decompiled and then we bring security to them, plugging in where developers went wrong and giving them more confidence in the security of their applications."

"People are finding there's not a huge amount of automated tooling in mobile development for security, so we're really scratching an itch with people."

The business has its offices in Farringdon, London, and in the near to medium term it hopes to continue building its client list, engage with more pilots, and use the cash it takes from some of the big-name customers in the pipeline to reinvest in the business.

"Then start growing quite rapidly," Alderson says. "Hopefully, to be a thought leader in mobile security – to use that contrived phrase!"