Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
In a recent livestream with We Hack Purple, I discussed vulnerabilities that impact mobile applications and in one example I introduced the concept of thinking about a shared responsibility model in mobile app security.
In other security domains, security professionals have embraced the concept of a shared responsibility model when thinking about the roles and responsibilities of securing data or services when more than one party is involved in providing that service. This model became well established as more companies shifted their applications to cloud-based infrastructure, where they were no longer in complete control of the infrastructure and environment upon which their applications, services and data resides. A shared responsibility model became necessary to make clear the roles and responsibilities of these different parties in maintaining control of the data and maintaining the integrity of the systems.
When we think about mobile devices and the applications we develop for those devices, a similar paradigm exists.
Consider an end-user accessing sensitive information through a healthcare or banking app developed by their trusted app provider, running on an Android device. Securing the personal data and protecting the integrity of transactions is important to everyone that forms a part of that mobile app ecosystem.
|Consumer/ End user||Wants to ensure they are not a victim of fraud or that their data is exploited|
|App developer / Publisher||Wants to ensure that transactions are legitimate, that mobile apps and APIs are secure so that they don’t suffer data breaches and that their brand and reputation in the market is in good standing|
|App protection vendor||Wants to protect applications from reverse engineering and tampering that can result in targeted attacks against their customers|
|App store / OS / Device manufacturer||Wants to build trust and confidence in the applications and ecosystem to gain adoption of their devices and software|
We’ve established that multiple parties all have a shared interest in making sure the apps they use/provide/support are trusted and secure. Given that, what roles/responsibilities do each of these stakeholders have in ensuring the security of their data or system?
An end user needs to take some responsibility to ensure they are using their mobile phone in a responsible way. This means only obtaining apps from reputable trusted app stores, that they are aware of the risks of phishing and various scams that can attempt to defraud a user. Other stakeholders can support this user through various means of awareness and education, communicating permissions control and generally keeping them informed of the risks.
App developers should seek to understand the threat model for their application or services, understanding the specific risks and potential for fraud that can impact their app users. The risks and threats that are material should be addressed with appropriate mitigating controls to protect their users' data and regularly assess the security of their application.
App Protection vendors (such as Guardsquare) employ security researchers and engineers that understand the constantly evolving threat model that impacts mobile applications and develop effective and usable app protections that can be implemented.
The platform (the device, operating system or app store) is a critical part of the shared security model, provided by vendors like Apple (iOS) and Google (Android), though in the case of Android it is a distributed ecosystem, with additional roles and responsibilities for device manufacturers. The devices and operating systems need to implement a secure architecture, should be regularly updated to protect against discovered vulnerabilities and should minimize the potential for abuse of their platform. Apple routinely patches their devices and operating system to protect against zero day vulnerabilities. We’ve also recently highlighted examples of how the Android architecture is susceptible to abuse of its accessibility services API, which is clearly a design decision that Google made which can impact the security of users and applications in the Android ecosystem. The app store also needs to implement controls to ensure the quality and legitimacy of the apps that are published, we’ve seen Google and Apple make significant progress in addressing the presence of malicious apps in their respective app stores.
The security of our mobile app ecosystem relies on a shared responsibility.
As a contributor to the shared security model, Guardsquare is committed to delivering the strongest mobile app protection, free mobile app testing, and informative research to help contribute to a safer mobile app ecosystem.
To learn more about how Guardsquare can help you identify and protect against reverse engineering and tampering, connect with one of our experts now!