The Hidden Cost of Ignoring Mobile App Security

Mobile Application Security Cannot be an Afterthought, a new Enterprise Strategy Group report based on responses from 300 global application development/software engineering, cybersecurity, and IT decision makers, found that 93% of respondents think their mobile app security protections are sufficient. Yet, these same respondents indicated facing an average of 9 mobile app security incidents per year. The impact of these incidents is far-reaching.

Enterprise Strategy Group findings show that the average organization now releases 13 unique mobile applications each year. More than half of respondents said security incidents have caused mobile application downtime. Customer-facing impacts include data leakage (48%), a loss of consumer trust (41%) and negative user experience (38%). The total reported costs of a single mobile application security incident ranged from less than $1 million to more than $20 million, yielding an average cost of nearly $7 million per incident among respondents.

At the same time, many organizations are relying on operating system (OS)-level protections or DIY, homegrown security solutions to defend against potential mobile app security attacks. These measures alone are not enough to defend against attacks that continue to grow in number and sophistication.

Let’s explore some of the key findings from Enterprise Strategy Group’s study, and how organizations can proactively enhance their mobile app security posture.

Balancing security and time-to-market

Developers are faced with a delicate balance, and are under tremendous pressure to ship mobile applications in less time. Many perceive that additional mobile app security will slow down these development timelines, whether it’s because security tools are not integrated into their workflows or vulnerabilities take time to diagnose and address.

In fact, 74% of organizations agree that their application development teams are experiencing increased pressure to accelerate development velocity. This speed pressure has compromised mobile app security for 71% of organizations. To balance time-to-market and security requirements, 46% of organizations say they want to prioritize mobile app security techniques that integrate into developers’ existing workflows, tools, and processes. Integrating security into the development lifecycle makes it easier to keep pace with release schedules — without compromising security, user experience, or application performance.

The good news is, nearly all organizations (98%) are aware of the risks of unprotected mobile apps, and awareness is the first step. Organizations seem to be moving toward implementing the right tools, secure coding best practices, and processes to strengthen their overall mobile app security posture — even if there is room for improvement.

Embracing a multi-layered security approach

Mobile applications often use and store sensitive user data and metadata such as PII, biometrics, and geolocation. As such, survey respondents reported high frequencies of targeted malware, data leaks, and unauthorized access seeking to exploit this valuable data.

Savvy organizations understand that a multi-layered mobile app security approach, made up of multiple techniques and tools, is the gold standard defense. Today, 45% of organizations prefer a mix of in-house tools, third-party solutions, and OS-level protections. Even still, 40% of organizations rely solely on DIY security solutions or OS-level protections — leaving their mobile apps open to potential attacks. Organizations are also increasingly taking a proactive approach to security, driven by both internal sources (risk assessments, emerging threats, and vulnerabilities) and external pressures (security incidents).

Multi-layered security should include not only regular mobile application security testing (MAST) to identify security issues in development, but also code hardening (obfuscation and encryption) as well as runtime application self protection (RASP) to prevent reverse engineering and tampering attacks post-release. Embracing proactive security approaches like threat monitoring and threat modeling can help organizations track the evolving mobile app security threat landscape in real time. Advanced security like application attestation can ensure that your app, its users, and their devices can be trusted which protects API endpoints and backend infrastructure.

Key takeaway: Implement multiple layers of security for mobile apps

As the number of mobile applications released continues to increase, the corresponding volume of security incidents also continues to rise. The impacts of these incidents include application downtime — which can result in revenue loss, customer churn, and operational disruptions.

To keep pace with evolving threats, organizations should prioritize mobile app security technologies that integrate seamlessly into developers’ existing workflows. Using trusted third-party technologies can help mitigate security talent shortages and empower development teams to implement robust mobile app protections — all without compromising on development speed, app performance, user experience, or compliance needs.

Above all else, a proactive security posture requires a multi-layered approach applied throughout the development lifecycle. This begins with embedding protections at the code level and continues with ongoing mobile app security testing and real-time threat monitoring. By complementing these measures with developer training and secure coding best practices, organizations can reduce the risk of mobile app threats, safeguarding their competitive advantage and user trust.

Want to get the full Assessing Mobile Application Security Report? Download it here >