Things have changed significantly for chief information security officers (CISOs) in the last 10 years. Security is now a CEO- and board-level concern, with breaches costing companies consumer trust, buyer loyalty, and, in some cases, millions of dollars. As security has become a central issue for organizations that impacts everything from finance, to legal, to HR, CISOs roles have evolved, too.
In fact, the Wall Street Journal recently recognized this shift, citing a Forrester survey that found a decrease in CISOs who report to the CIO (from 38% in 2018 to 35% in 2019) and an increase in CISOs who report to the CEO or president (from 16% in 2018 to 18% in 2019). While this is not a huge shift in terms of numbers, we do believe it is part of a larger trend of security being recognized as an important concern as well as a business driver.
As the CISO role has evolved, security threats have also changed in many ways. Originally introduced in 2008, mobile apps today represent a significant—and perhaps overlooked—center for risk.
Hackers realize that mobile apps are often overlooked within a company’s security portfolio and often focus their efforts on them as a result. Common threats targeting mobile apps include:
API key extraction
IP theft and cloning
The question becomes, how can CISOs guard against mobile app threats? Below are three key areas where CISOs today should ensure their teams have an appropriate strategy in place.
Many people mistakenly believe that iOS applications cannot be reverse-engineered, thanks to Apple’s App Store encryption, code-signing processes, and other built-in precautions.
In reality, CISOs and security departments know that this is not true. While the App Store’s goal is to protect consumers from apps with malware and other security issues, their protections do not fully cover the interests of the companies who make these apps. For example, iOS does not have full protections built in to hedge against tampering, cloning, or reverse engineering.
Additionally, while there is wider acknowledgment of the vulnerabilities affecting Android applications, it does not make sense to only develop or implement protections for Android, as this leaves the door wide open on the iOS side
Tip: It is important to be clear-eyed about the reality that iOS apps are indeed vulnerable to hacking and fraud. Many of the attack methods listed above can be detected and prevented with a multi-layered security approach: Code hardening protects the code at rest, while RASP provides protection when the mobile application is running.
When the Apple App Store opened and Google Play launched in 2008, businesses and individuals alike recognized a major opportunity. Today, the Apple App Store has about 2 million apps, and Google Play nearly 3 million.
Eager scammers are taking advantage of the proliferation of apps by creating “fake apps” and duping consumers into downloading them with the goal of diverting payment, racking up views for unauthorized ads, spreading malware, and carrying out other fraudulent activities. Companies without strong encryption and other security protections may find their apps reverse-engineered and marketed online by criminals, virtually indistinguishable from the real thing. This problem is so pervasive that the US Federal Trade Commission issued an alert for fake apps just a few years ago.
Tip: Hackers can’t duplicate what they can’t access. Make your app’s code unreadable with obfuscation and encryption, two important code hardening techniques. With these tools in place, hackers will not be able to decompile source code, stopping them from wholesale replicating and falsely marketing a fake app.
Companies, especially those in high-value, disruptive spaces, invest a lot of time and money developing their unique services. As a natural consequence, many mobile apps include proprietary algorithms used by a company’s core products. If bad actors are able to access the source code of these apps, they can intercept user data or copy a legitimate app’s functionality and go to market without the up-front investment.
Tip: Code hardening is the best way to protect major investments in developing unique intellectual property from theft and misuse by hackers with bad motives
As mobile apps have grown in popularity, regulations have raced to keep up with them. Today, CISOs must ensure that their companies’ applications comply with all major regulations, many of which vary from country to country. This is especially true in highly regulated landscapes, such as banking, where penalties for non-compliance can be costly.
Additionally, many countries are passing new local, regional, or global regulations aimed at protecting users. Turkey and Singapore, for example, recently passed new regulations around mobile banking.
Also in 2019, the Payment Card Industry Security Standards Council enacted new guidelines: the PCI Mobile Payment Acceptance Security Guidelines, industry standards for processing credit card information, and PCI SPoC regulating the security of electronic mobile transactions on commercial off-the-shelf devices (COTS).
Tip: As security is increasingly linked to regulatory compliance, CISOs must work closely with other business units to monitor for new regulations and apply appropriate security and privacy measures to mobile apps to meet these standards.
As companies develop ever more mobile apps, CISOs’ jobs will only become more complicated. Companies who proactively safeguard their mobile apps using both static and dynamic protections will be well-positioned to gain and maintain user trust in 2020 and beyond.