Mobile app security continues to be a weak spot for many organizations. During 2018, one in 36 devices used in organizations could be classified as high-risk. Why? Many of these devices had been rooted or jailbroken, and many others were malware victims (at times, both come into play). Considering there are currently 3.5 billion smartphone users worldwide, one in 36 devices translates to approximately 97 million compromised devices.
Unfortunately, these numbers demonstrate the reality that organizations who build and deploy mobile apps often do not apply the same level of security to these assets that they use with the rest of their information technology stack.
To properly secure the sensitive data that likely passes through and resides within your mobile apps (ranging from customers’ personal and financial information to corporate intellectual property), apps must be treated with the same level of care and attention relative to the value of security as all other pieces of technological infrastructure. Without proper care and attention, bad actors can and will take advantage.
To that end, today we want to talk about three myths that surround mobile app security and share some strategies for better defending your mobile apps against the very real risks present in the market.
Mobile applications are one of the most common ways that users interact with an organization’s services, yet they often lag behind web, desktop, and other services when it comes to security. As the DevSecOps (or SecOps) movement has spread throughout the technology industry, mobile app development has at times been left behind the curve. This means there is often not a tight feedback loop between security and development teams, which can lead to mistrust, slower release cycles, or insecure apps.
The best way to ensure the security of mobile apps is to involve both the development team and the security team in ensuring best-in-breed security measures are implemented early and often in the app’s lifecycle. This includes implementing a multi-layered approach. We recommend applying obfuscation techniques to code to ensure that it is not easily read by hackers, ideally using tools like DexGuard or iXGuard, that ensure the development team is able to balance lean development cycles with security requirements. Dynamic security protections are required as part of a multi-layered security strategy to prevent theft of both information and IP embedded in code.
We’ve written before about misconceptions around iOS security, but it bears revisiting, especially given recent headlines around the checkra1n jailbreak exploit. This jailbreak is permanent, and has been sweeping the internet, as app developers recognize the potential for unauthorized data exposure or modification by hackers conducted via jailbroken phones.
Additionally, iOS piracy is more common than many realize. Pirated apps endanger in-app revenue (which accounts for 96% of consumer spend in non-gaming apps) through the distribution of modified or “cracked” apps (Android and iOS) and through “tweaks” that modify the behavior of iOS apps primarily. Either form of piracy can enable users to access paid features for free, which decreases revenue for many organizations.
It’s key to develop strategies against threats like jailbreaking and piracy if mobile apps are a key aspect of your business strategy or revenue streams. The Apple App Store does indeed provide a bit more security to end users than Android, but it’s still the case that developers need to take extra precautions to fully secure their apps and protect their own organizations.
It’s important to secure mobile apps so that customer data is not stolen or misused, harming trust and reputation. However, companies must also recognize that they are at great risk, too, when valuable and innovative source code is stolen. This can happen because mobile apps are inherently vulnerable to hacking and reverse engineering.
Typically when intellectual property (IP) is stolen via a mobile channel, it is a result of piracy and/or cloning of partial or entire mobile apps.
And lest you suspect that this is an edge case, the reality is information theft is the most expensive and fastest growing cybercrime. It is estimated that IP-related cybercrime accounts for $50 to $60 billion of global losses yearly. Of note, this type of crime is increasingly targeted at the gaming sector (which, as you may know, is the largest and most valuable area of the mobile app industry).
Theft of intellectual property is another compelling reason organizations must properly secure their mobile apps against the complex and ever-evolving attacks that hackers launch.
While it may be daunting at first to undertake the project of better securing your mobile apps, it’s important to have a game plan for defending against the very real attacks and risks discussed above. These threats can impact your business in dramatic ways, so organizations must fully secure their mobile apps to decrease risk.
Once you have brought your security and development teams into alignment, one of the key ways to improve your mobile app security is to take a layered approach. Rarely is a single mechanism or solution sufficient to fully protect against all of the creative ways that maliciously-motivated actors will attempt to compromise your hard-earned app revenue and sensitive data.
Both code hardening and runtime application self-protection are necessary to ensure a truly tough security posture. The best approach to mobile application security brings development and security teams into close alignment to implement strong and layered security across mobile applications.