Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security.
Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data.
Worse, devs couldn't secure apps if they wanted to, according to the company's year-long study.
The majority of some 1,400 random devs from 700 businesses flunked a set of multiple-choice application security tests covering 53 topics, obtaining a 60 per cent mark and a "D" rating.
The most terrible carnage was found in the protection of sensitive data, which 80 per cent of developers flunked.
Security architecture and models baffled three quarters of responding devs who chose the wrong answer in what may answer the question of why architecture-level vulnerabilities existed in apps.
And two thirds flunked "Introduction to Web Services Security", which is bad news for organisations with rich clients, public APIs, or who are moving to service oriented architecture.
The report also detailed failures in data layer and URL access control and securing web app sessions.
"You would think that after 15 years of securing sessions in web applications, this area would be
a simple one for developers," the report authors wrote
"Results show only 52 percent of participants passed this area.
"Securing sessions improperly leads to session hijacking and other attacks. Developers must understand that session ids are just as sensitive as passwords and must be protected accordingly."
Twenty two "serious vulnerabilities" were found in each "mission-critical" enterprise app the security consultancy examined, lending credence to statistics cited by the company that organisations spend 1.7 percent of security budgets on locking down applications.
Most responding devs were from the financial sector, with less than two years' experience. About a quarter had more than 10 years working as an app developer.
Devs were however capable of besting click-jackers (where buttons may be overlaid with iframe content), SQL injection and Cross-Site Request Forgery, but that knowledge or lack thereof did not correlate to experience.
Application Security said devs needed to be taught the security good news when they began to specialise in a given area, and not after, the report said.
The research comes as Gartner quipped in its own research that 75 percent of mobile apps failed basic security tests.
Gartner researcher Dionisio Zumerle said that figure -- a low one according to Australian security constancies -- meant enterprises deploying BYOx projects to allow staff to fondle iThings on the corporate network were at particular risk.
"Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security," Zumerle said. ®