Why Aren’t Organizations Addressing Mobile App Security Risks?

The global pandemic has catapulted mobile device adoption forward by two to three years, according to a recent report by App Annie. Remote work dynamics and stay-at-home orders have dramatically accelerated the transition to a “mobile-first” world.

Mobile apps drive significant revenue and boost customer loyalty for businesses who use them right. In fact, global revenue from mobile apps grew by 23% in the past year, reaching a peak of $50 billion in the first half of 2020. And even amidst a global shrinkage in marketing budgets, mobile ad placements were up 70% in H1 2020. 

The positive potential of mobile apps for businesses is clear. However, awareness of the risks of insecure mobile apps—and action to mitigate those risks—appears to lag.

A new report by Vanson Bourne found that the vast majority of developers and organizations still aren’t implementing best practices to secure their mobile applications. 

Mobile App Security Risks

As of June 2019, 38% of iOS apps and 43% of Android apps remained exposed to high-risk vulnerabilities. Respondents to the Vanson Bourne survey reported an average of eight mobile security incidents in the last year. 

The impacts of app security incidents include downtime (59%), data loss (56%), compromise of other devices (46%), reputation damage (37%), regulatory penalties (29%), and loss of business (19%), according to the Verizon Mobile Security Index. 

When it comes to mobile apps, favoring development speed over security (which 62% admit to) has led to exposures across sectors. For example:

• Financial: 57 million people in the US alone use mobile banking apps. However, in 2019 42% of financial services companies reported app-related security incidents.
• Retail: 23% of the top 50 Android retail mobile apps have zero security protections in place in 2020.
• Healthcare: Contact tracing apps are growing in global popularity due to the COVID-19 pandemic, but they can present significant risks if not properly secured.

With the risks so clear, why aren’t mobile apps more secure? Here are the common barriers to developing and releasing secure mobile apps in 2020.

Teams Lack Security Expertise

Many organizations aren’t well-equipped to address mobile security challenges, due in large part to a significant shortage of cybersecurity talent. The demand for cybersecurity professionals is twice as great as the supply of security talent in the U.S. Some predictions indicate the global talent shortage could reach 3.5 million by 2021, up from 1 million in 2014.

Mobile app security requires a specific skill set, and many development teams simply don’t have enough security experts available to help them. 

Fortunately, investing in developer-first mobile app security solutions can help alleviate the talent shortage by empowering developers to build security protections like obfuscation and RASP into their code. 

Teams Prioritize Schedule over Security

Developers report that pressure from organizations to release apps quickly poses a significant challenge to security postures. In fact, 58% of respondents in the Vanson Bourne report stated that their organizations’ mobile app release deadlines are too tight to allow for implementing comprehensive security protections.

The app development lifecycle can be intense, with organizations competing to release features and beat competitors to market. However, sacrificing security for speed is putting organizations at risk every day. 

The good news is it doesn’t have to be this way. Teams can incorporate security into the mobile development lifecycle without friction by following these best practices.

Teams are Implementing the Wrong Strategies

The Vanson Bourne research found that the majority of mobile app development teams acknowledge the importance of security. Yet they reported dealing with an average of eight security incidents over the past year, with fallout ranging from malware insertion and piracy to security circumvention and IP theft.

Teams do recognize room for improvement, with 43% reporting they need “a lot” of improvements or a “complete overhaul.” Only 5% report no improvement needed. Still, while 81% agree iOS standard security isn’t enough and 84% report the same about Android, 96% of respondents are relying to some extent if not completely on end users’ mobile operating systems to secure apps. 

Operating system security is intended to protect the end-user and simply does not provide sufficient security to protect organizations against mobile app risks like IP theft and fraudulent app clones stealing revenue. Mobile apps need complete, layered security to protect against today’s evolving threat landscape.

From Awareness to Action

Despite the amount of revenue and brand customer loyalty driven by mobile apps, implementation of mobile app security best practices clearly remains a challenge. Developers and organizations seem to be aware of the risks of deploying apps without the proper security measures. It’s time to align security best practices with real-world constraints and make mobile app security a priority.