As with all types of security threats, those that target mobile applications are constantly changing. However, mobile app security threats are of particular concern because mobile apps tend to receive less security attention than other types of software and technology. Mobile app security is important because these apps are often key to revenue strategies and customer loyalty.
The Verizon Mobile Security Index 2020 defines a mobile threat as: “Any danger that could impact the security of systems or privacy or data. This can apply to a technique, such as phishing, or an actor, such as organized crime.” Mobile app security threats specifically refer to any dangers that arise via mobile applications and—again—impact systems, privacy, or data.
In this post, we will explore the top five mobile app security threats today.
Verizon’s reporting found that mobile app security threats have been steadily increasing year over year, from 27% of organizations reporting a compromise in 2018 to 33% in 2019 and to 39% in 2020. Headlines since this report came out make it clear that the pandemic and remote work dynamics have also led to an even sharper increase in threats and attacks.
These are not minor incidents, either. Many respondents reported that the consequences were “severe and far-reaching,” with 66% classifying the fallout as “major” and 36% describing “lasting repercussions.” Yet 43% of companies admitted to sacrificing security for other priorities.
Understanding which threats are most common and how to protect against them is a good step toward better protecting not just the mobile apps themselves but the valuable customer relationships and revenue streams that apps often facilitate.
Now that we’re on the same page about why this is so important, let’s take a look at the top five mobile app security threats today.
Malware is consistently one of the most common threats facing mobile apps today, in part because it is constantly evolving and taking on new forms. In the Verizon report, 86% said they were concerned about malware while 20% said they were unprepared to defend against it. The reality is many organizations that believe their apps are safe from malware don’t understand how complex and rapidly evolving malware can be.
Estimates put the rate of malware infection among Android phones around 4.5%. As Verizon points out, this may not sound like a lot on the surface, but malware spreads easily from device to device. If this malware enters a business environment, it can spell major trouble for the whole organization. Furthermore, app-based malware runs rampant even in the official app stores (and even more so on the gray and black markets).
Verizon’s definition of mobile app threats includes those that arise from not following mobile app best practices. One common threat arises from insecure coding which is, unfortunately, very common.
Because speed and competition around features often drive rapid development cycles, even businesses that take security seriously have been known to release apps that are coded insecurely. Organizations know this, too: 75% admitted to concern around it, with 23% saying they felt unprepared to deal with it.
One specific form of malware that is particularly common is ransomware. When deployed, ransomware is capable of freezing mobile devices until a ransom is paid to the attacker. In many cases, even when the ransom has been paid, users do not regain access to their devices and the data it contains. If this type of attack spreads via your organization’s mobile app, it can have massive reputational consequences for your brand.
While the majority of those surveyed (85%) indicated concern about ransomware, 75% also said they felt prepared to defend against it. Of concern, however, is that ransomware has been evolving rapidly of late. New versions don't just lock down the files on a device but can also encrypt files in cloud storage services and even threaten to publish personal files online (this is known as “doxware.”)
Attackers sometimes hijack devices and use their computing power to mine cryptocurrency. The biggest impacts users are likely to see include battery drain, downtime, and operational disruption. A newer threat on the market, 73% of organizations report concern regarding cryptojacking. Many do not realize that cryptojacking can target mobile devices in addition to computers so it’s worth being aware of this increasingly common threat.
The two primary ways that cryptojacking attacks take place is via phishing or code injection. The latter is a big concern for mobile apps that are not properly secured. While cryptojacking is not the fault of an app that unknowingly spreads it, it can still have major reputational and financial consequences.
Finally, users often do not keep their mobile apps updated constantly. In some cases, you may want to force updates. But even if you choose not to do this, it’s a good idea to communicate as clearly and frequently as possible about updates that carry security patches.
Additionally, untested updates can introduce security problems. This goes back to the issues brought up around insecure coding. Again, apps are often tested more in-depth by app stores—particularly for malicious code—when they are first published than when updates are released.
Similarly, even app makers who are pretty good about security testing before the first release of an app may not be as reliable about doing this for each and every update. This is crucial to ensuring that no untested updates - that could introduce mobile app threats - go live.
The five threats laid out in this blog post are common enough that all mobile app developers should be well aware of them. Integrating security into every aspect of the mobile app SDLC by following secure coding best practices, applying app protection, including code hardening and RASP, and driving continuous security testing is key to avoiding the reputational and financial consequences that can arise out of a successful threat executed via your mobile app.