The latest mobile statistics shouldn’t be surprising but they are with over 130 billion app downloads in 2020 alone; the mind still reels at the magnitude. It seems that with the shelter in place requirements imposed by the pandemic in 2020, the population moved to mobile apps to fill in the time.
Mobile App Security Issues In 2020
As the dependency on mobile apps increase exponentially, the likelihood of a security breach increases accordingly. According to CSO Online “8 mobile security threats you should take seriously” the issues in 2020 for mobile app security threats included:
- Data Leakage: It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2019. Remember those almost nonexistent odds of being infected with malware? Well, when it comes to a data breach, companies have a nearly 28% chance of experiencing at least one incident in the next two years, based on Ponemon's latest research — odds of more than one in four, in other words.
- Social Engineering: Users are actually three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study — in part because a phone is where people are most likely to first see a message. Verizon's latest research supports that conclusion and adds that the smaller screen sizes and corresponding limited display of detailed information on smartphones (particularly in notifications, which frequently now include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success.
- Wi-Fi Interference: A mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to public Wi-Fi networks, that means our info often isn't as secure as we might assume.
- Out-Of-Date Device: This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and with the smaller monthly security patches between them — as well as with IoT devices, many of which aren't even designed to get updates in the first place.
- Cryptojacking Attacks: While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018, according to a Skybox Security analysis, with a 70% increase in prominence during that time compared to the previous half-year period.
- Poor Password Hygiene: Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80 percent of hacking-related breaches in businesses. From a mobile device in particular — where workers want to sign in quickly to various apps, sites, and services — think about the risk to your organization's data if even just one person is sloppily typing in the same password they use for a company account into a prompt on a random retail site, chat app, or message forum.
- Physical Device Breaches: In its 2019 mobile threat landscape analysis, Wandera found that 43% of companies had at least one smartphone in their roster without any lock screen security. And among users who did set up passwords or PINs on their devices, the firm reports, many opted to use the bare-minimum four-character code when given the opportunity.
- Mobile Ad Fraud: Cyber criminals follow the money, so it’s no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023.
The good news is that many of these issues are avoidable as long as you take the steps to ensure your organization is protected in 2021.
How To Avoid Mobile App Security Issues In 2021?
TechBeacon offers “6 ways to eliminate the most common security #fails in mobile apps” with this list:
- Design security into the mobile app: The first step should always be to consider security during the application design stage. Relying too much on data stored on the client, for example, can offer up a vector of attack for a variety of bad actors.
- Test each iteration of the product: Once a secure design is created, developers should make sure their code doesn't result in vulnerabilities. Frequent code scanning (not just at the end of the project during the quality assurance stage) and threat modeling can help detect any vulnerabilities or design flaws that creep into the application, says Sriram Ramanathan, chief technology officer at Kony, a maker of mobile app development tools.
- Encrypt data stored on the device: Poorly implemented encryption is a major problem for many mobile apps. Just ask Starbucks. In 2014, a security expert found that the company's mobile app left users' data unencrypted on the device. Historically, mobile apps have struggled to protect data due to oversights, such as not implementing encryption on the connection to the server and not storing authentication credentials securely.
- Identify and actively manage third-party libraries: Developers should use a system to regularly check for updates in the third-party code they use in their product, so the code remains current with the latest versions. Failing to do so could leave a known security hole in their products that attackers can exploit.
- Minimize the attack surface: Developers should look to not use broad frameworks but minimize the functionality of the mobile app to just the capabilities needed, essentially shrinking the opportunities for attack, a concept also known as minimizing the attack surface area of the application.
- Obfuscate the code: Finally, developers can adopt a number of techniques to harden their application against attackers' efforts to reverse engineer the code. Obfuscation, which turns the code into indecipherable gibberish, raises the bar slightly for attackers.
The bottom line is a requirement to take mobile app security assessments seriously along with secure SDLC practices as well as DevSecOps oversight.
Mobile App Security Assessments Made Simple
The mobile environment is different enough from classic client server, cloud, network and IoT development that particular expertise needs to be drawn upon. Combine the nuances of multiple platforms (i.e. Android, iOS) with the ever-changing vendor updates and you have the recipe for a very difficult challenge to keep up with. This should be the catalyst to evaluate trusted partners to assist with mobile security assessments.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
Let us work with your development and security teams to implement a secure SDLC that encompasses continuous security review and full integration into the development process for your mobile apps to ensure security and privacy is the end game. Give us a call to better understand how you can more effectively handle mobile security assessments in order to improve privacy and security for you users, or better yet, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.