Howard Schmidt, ISF President said: “There’s a real focus on mobile at the moment. We’re replacing the laptops that we used to carry with smartphones, and as these become more valuable, they become more of a target. The apps that are being developed now are very exciting, and everyone wants to download them and play around, but it’s entirely likely that source code checks aren’t being done as rigorously as they should be. Due diligence is simply not being done in my opinion.”

Mobile apps have seized public imagination of late, mainly due to the success of the iPhone and it's marketing machine. A variety of analysts now predict that widget and app-based access will become a large part of overall online traffic imminently. The rush to emulate Apple’s Appstore success (more than 100 million applications downloaded) is driving a huge investment in consumer apps, and business is not far behind. SAP, Oracle, Sage and Salesforce all offer mobile apps of one flavour or another, and their peers are chasing hard.

According to a recent report from research firm Gartner, the top consumer app areas for 2012 will be money transfers, location-based services, mobile search, mobile browsing, mobile health monitoring, and mobile payments.

Steve Smith, MD Pentura agreed: “Keeping on top of mobile applications will be a real challenge for businesses in the near future. Rich features and this urge to rush to market mean that proper code reviews and pen testing simply isn’t being done. Re-configuring web application firewalls (WAFs) to cope with mobile apps is probably being forgotten also...”

Perhaps ironically, it was only recently that the importance of securing web apps was recognised, as hackers began to focus on the new attack vector. Many web apps deployed post-dotcom boom were never designed to be 'online' at all, and their designers had never considered the implications of malicious attacks, only the effect of human error.

An industry initiative aimed at tackling the problem, SAFECode (from EMC, Juniper, Microsoft, SAP AG, and Symantec) was only launched in late 2007, while the PCI standard, section 6.6, covering methods to secure web applications was only fully clarified in 2008.

Schmidt continued: “This situation isn’t the manufacturers problem to solve however, as most of these apps are developed by third parties. It’s down to businesses and end users to demand better security practices.”

The PCI Standard 6.6 guidelines