From banking, to gaming, to retail, every industry has been transformed by mobile apps. Consumers today expect a seamless, digitally native experience, whether they’re depositing checks or ordering a new pair of sneakers. This, of course, means more organizations have invested in building and distributing mobile apps.
However, when companies build mobile apps and use them to process, store, or otherwise contain sensitive IP and data, they face new security risks. Some industries in particular face a broad onslaught of cybersecurity threats due to the types of information and data their mobile apps contain and the potential upside for hackers.
In this post, we share three industries where mobile security should be top of mind.
Consumers today expect to be able to deposit checks via camera on their banks’ apps, pay a friend back for lunch via Venmo, and track their net worth on an app like Personal Capital.
In the U.S. alone, some 57 million people use mobile banking apps. Additionally, Deloitte found that, across 17 countries worldwide, around 59 percent of people use mobile banking apps. On top of the popularity of mobile banking, it’s estimated that over 1.3 billion people will use mobile payments by 2023. Mobile payments are particularly popular and common in developing countries, where they are likely to overtake traditional banking, if they have not already.
Mobile financial apps are more convenient than brick-and-mortar institutions, but they also open financial services companies up to security risks. According to Verizon’s 2019 Mobile Security Index, 42 percent of financial services companies reported app-related security incidents within the last year. Financial information has become an easier target for hackers via mobile apps, when they’re not sufficiently protected. Hackers can target unshielded apps to gain access to customers’ financial data, intercept or divert payments, or otherwise maliciously use the information they find. Fake apps are also on the rise, which often mislead consumers to share financial details with the wrong people. In fact, in the first half of 2019, online fraud attacks via fake apps masquerading as legitimate banks tripled, according to RSA.
Moreover, our own research at Guardsquare has revealed that less than half of Android financial services apps use application shielding—a key tactic for protecting these apps and their data.
Mobile financial services are here to stay. Banks, payment companies, and others rely on trust to keep consumers coming back and placing their hard-earned dollars into someone else’s care. Properly shielding financial information with layered mobile app security is make-or-break for financial companies who want to gain and maintain customer trust.
Gaming is big business—expected to make $100 billion in 2020 across all platforms, in fact, according to estimates from App Annie’s 2020 State of Mobile report. According to Mobile Marketer, 60 percent of worldwide video game revenue in 2019 was generated by mobile games, which were played by a total of 1.36 billion gamers globally.
Mobile gaming companies are highly dependent on in-app purchases—think: gear, character skins, in-game currency, etc.—and in-app advertisements. For example, around 80 percent of game-makers build their revenue strategies around in-app purchases, according to a 2017 App Annie report.
Hackers see the opportunity, too: according to a story in VentureBeat, one company found that game-makers lose around 40 percent of “in-game revenue and microtransactions” yearly. Sometimes hackers do this by cloning and modifying apps to play for free, while others hurt studios’ bottom lines by getting around in-app purchases.
With so many people playing mobile games, this industry is a rich target for hackers who may be looking to make money or improve their own gameplay. Many attempt to get around in-app upgrades or distribute cheats. That kind of cheating can hurt gaming companies both in terms of finances and reputation; according to one company’s survey, 77 percent of players said they would stop using a game if they perceived any cheating. When other players cheat, legitimate players become more reluctant to spend, too -- that same survey found that 48 percent of respondents would be “less likely” to pay for in-app purchases.
Mobile health applications are a powerful tool for communicating with patients, helping individuals track symptoms, medications, and more. But, in some cases, they can also process and store incredibly sensitive personal health information (PHI).
For hackers, healthcare information is desirable. For example, medical records often contain sensitive details, such as date of birth, contact information, payment details, and sometimes even identification methods such as social security numbers. Recently, Experian reported that on the dark web, complete medical records can sell for more than $1,000.
While malware, ransomware, and other attacks on hospitals and health organizations have made headlines in recent years, unprotected mobile apps are an underappreciated weak link in the chain. If a mobile app’s code isn’t hardened, hackers can easily decompile the app, opening up an organization to various forms of abuse. These can include intellectual property theft, customer data or credential theft, tampering, and cloning (among other issues).
Last year, 25 percent of healthcare organizations experienced a breach through mobile apps, according to Verizon’s 2019 Mobile Security Index. In more recent headlines, Walgreens experienced a technical error with their mobile app that unintentionally revealed customer data, including prescription details.
Most countries have laws around medical and confidentiality of records, such as the Health Insurance Portability & Accountability Act (HIPAA) in the United States. If information is exposed from a mobile app, it can result in serious consequences for both the individual whose information was leaked, as well as the company who allowed it to happen by releasing an insecure app into the public domain.
Consumers, organizations, and governments around the world are waking up to the vulnerabilities of mobile apps. For example, government agencies are implementing new laws and regulations around consumer data and technology, such as Europe’s PSD2 or Singapore’s PDPA.
However, the best place to start is at the beginning with the developers who build healthcare, gaming, and financial mobile apps (and every other industry). Every company’s engineering team has the opportunity to strengthen app security during the development process. By building in layered mobile app security, including runtime application self-protection (RASP), and code hardening, companies in gaming, healthcare, and financial services can protect their IP and user data from attackers looking to take advantage.