What Mobile Developers Want Security Teams to Know in 2021

Over the past year, there have been an increasing number of attacks against mobile apps. In fact, a recent report  found that 39% of organizations suffered a security compromise involving a mobile device in 2020, and 66 percent of these incidents had a major impact on the organization.

Remote work has sparked the launch of many enterprise mobile apps. While this has plenty of positive benefits, it has also opened a new attack vector related to endpoint security. Mobile security is becoming a critical risk area that has previously been overlooked by many cybersecurity teams.

Mobile developers are aware of these growing security threats; however, they’re often limited in the support, tooling, and visibility they have available to combat them. Here are several ways that security teams can increase collaboration with development teams to improve the overall security posture of their organization.

1. Offer Developers More Support

There has been a cybersecurity skills gap for a long time, and this has severely impacted the ability of development teams to protect their mobile apps. In spite of the chronic shortage of available talent on the market, just one of the top 24 undergraduate computer science programs in the U.S. includes a security course as a core requirement. This lack of security education leaves developers unprepared to implement secure coding practices when they enter the field.

That’s why it’s crucial for security teams to inform developers about new cyber threats so that developers can determine whether their apps are vulnerable. Security teams should also document secure coding best practices and create a process to ensure that developers can follow them from project inception. This could include sharing the latest research from the Open Web Application Security Project (OWASP) and insights from other trusted sources about mobile security.

Further reading: How App Developers Can Navigate the OWASP Mobile Top 10 Security Risks

At many organizations with numerous software projects and development teams, security professionals cannot actively engage with every developer individually. Training some developers to become “security champions” can help ensure security is a part of every development conversation. This is another great way to spread security knowledge throughout the organization, better support secure coding, and provide personal development opportunities for security champions going forward.

2. Provide Developers with Better, More Developer-friendly Tooling

While most developers understand the importance of application security, they’re faced with tight development timelines and often make security tradeoffs due to pressure to be the first to market. That means mobile development teams often lack the time and resources to implement advanced security techniques or adopt the necessary tools to protect their apps.

Many mobile developers work to implement basic code obfuscation and encryption techniques on their own, but these attempts often fall short of the mark. Once built into the app, these do-it-yourself approaches require additional manual effort in future releases to stay on top of the latest techniques. In addition, to be effective, code obfuscation needs to go beyond basic name obfuscation by changing the control flow and code logic as well. Multiple layers of code hardening provide the best way to protect mobile apps so developers should leverage tools that make this level of security feasible to stay on top of the latest application security methods without additional manual effort.

An advanced security tool that can seamlessly fit into developers’ existing workflows can dramatically improve the security posture of a mobile app. These tools can automatically implement security measures like code obfuscation, encryption, and more that are updated with each new release to stay ahead of attackers. This approach allows developers to integrate security into their build process without slowing down development.

3. Give Developers Greater Visibility

Mobile app security — especially at larger enterprises — is just one area of cybersecurity, but mobile apps don’t live in a vacuum. For example, endpoint security is the practice of securing the entry points of networks, which can include employee mobile phones and the apps they’re running. With the global pandemic and subsequent significant increase in remote work, enterprise mobile apps have become an increasingly popular attack vector for malicious actors to infiltrate company networks.

There’s traditionally been a lack of visibility for developers after their mobile apps are published. While developers can implement runtime application self-protection (RASP) measures to detect and mitigate dynamic threats, the ability to monitor potential threats in real time is invaluable. This capability enables mobile developers to contribute in a meaningful way to the overall security posture of the organization.

In addition, a real-time threat monitoring tool can facilitate the collaboration between security professionals and developers. Security teams gain complete visibility over their deployed mobile apps, continuously monitoring for incidents and getting real-time data to help them prioritize and assess risk-based vulnerabilities. Developer teams get insights to remediate vulnerabilities quickly as well.

Bringing Security to Development Teams

As mobile app security becomes more important for today’s organizations, collaboration between security and development teams is crucial. This requires training for developers to design their mobile apps with secure coding best practices from the start and developer-friendly security tooling that fits within their existing workflows. Mobile developers also need greater visibility into the cyber threats the organization is facing to improve their app security going forward.

Guardsquare’s DexGuard and iXGuard solutions offer comprehensive mobile app protection using code hardening and RASP, without negatively impacting development. ThreatCast monitors threats in real-time and offers actionable feedback for developers.