Many organizations take a risk-based approach to security, evaluating cyber risks and their resulting business impacts on the organization. Certain risk triggers may signal the need for increased security defenses in a particular area – including the organization’s mobile apps. Unfortunately, mobile app security is often overlooked due to developers’ demanding timelines. However, the potential consequences of a mobile app security breach could include IP theft, data loss, monetary loss, reputational damage, and more.
Specific to mobile AppSec, the four risk triggers below may signal it’s time to reassess your security posture.
A merger or acquisition is a time to do due diligence on many different aspects of the business – not just financials. After an M&A event takes place, the integration process begins. Each company is entering unfamiliar territory with one another’s IT systems, policies, hardware, software and digital assets – including mobile applications. If one organization fails to thoroughly protect its mobile apps, it could put the entire combined entity at risk.
An M&A may trigger a larger cybersecurity risk assessment, which could uncover potential vulnerabilities within both internal systems and external applications. For example, the organization may ask questions such as “What critical assets and data could be at risk?” “Has there ever been a cybersecurity breach?” On the mobile side, the security team may look at resources and frameworks like the OWASP Mobile Top 10 to determine if applications are at risk of any of the top threats.
A compliance or security audit could trigger a full review of the organization’s entire digital portfolio, including its mobile apps. Sometimes, organizations hire external auditors to examine their internal security practices. This often happens when organizations need to achieve certain security benchmarks, such as SOC 2 or industry-specific standards such as FedRAMP. In addition to ensuring the organization's intellectual property is protected, these benchmarks may help the organization sell to certain sectors. They demonstrate to current and potential customers that security practices are airtight.
Other times, something more serious happens. Many organizations are subject to regional data privacy and security regulations such as GDPR, CCPA, PCI-DSS or PIPEDA. Or, they may operate in a highly regulated industry such as financial services, government or healthcare. A violation within a mobile application may prompt an auditor to review the company’s security practices. Potential consequences could include fines, as with GPDR, or even a shutdown – temporary or permanent.
Often organizations wait until it is too late to evaluate their mobile application security. Malicious actors look for low hanging fruit on iOS and Android app marketplaces. One of the ways in which they can execute an attack is by spotting an unprotected app and reverse-engineering or tampering with it. Potential mobile threats can include API key extraction, IP theft and cloning, credential harvesting and more.
A security breach can expose vulnerabilities that were unknown to the organization before, and force a remediation. A more controlled way to make these discoveries is through penetration testing or Red Teaming. Either internal teams or third-party contractors can simulate attacks on a mobile application or its environment to uncover potential vulnerabilities. That way, the company can remediate any issues before the application is published and downloaded.
A new mobile application could trigger the business to reconsider its security practices. A lot of energy and excitement can go into the business and functional requirements-building process for a mobile application. Security requirements should be prioritized right alongside planning for the end-user’s experience.
While it may be an unfamiliar way for development teams to work, a secure software development lifecycle should be prioritized while the application is initially built and as it’s maintained. This means – among other things– that developers proactively address security from the outset by following secure coding best practices. That way, it’s less likely that a hacker will find the application an easy target. The right training and tools can make it easier for mobile development teams to move both quickly and securely.
One way to integrate security into the code itself is through application hardening. By layering multiple types of security defenses, organizations can protect their applications against some of the most common types of attacks hackers use today.