At DeveloperWeek 2018 in San Francisco, I had a provocative question for mobile app developers:
“Is mobile app security important to you, and if so, what are you doing about it?”
The majority of developers I spoke with at the event agreed that security is important. However, when pressed for more detail, many could not describe the specific measures taken to protect their mobile apps against the latest threats and most said that security is actually someone else’s responsibility.
This aligns with the findings from a 2017 DevSecOps survey of 2,200 IT professionals. In the survey, 76 percent of respondents reported that their developers did not make security a priority. Either their developers don’t have time for security (50 percent), believe security to be someone else’s responsibility (17 percent), or simply didn’t focus on security at all (9 percent).
This got me thinking: if an organization’s mobile app developers can’t articulate how the apps they develop are secured, are those apps actually secure? Or do we just assume they are?
A False Sense of Mobile App Security
The value of the mobile channel is undeniable. It begets new customers, re-engages existing customers, increases customer satisfaction and grows revenue. However, assuming that security is someone else’s job creates a false sense of security.
Consider the following statistics:
- 27 percent of all attacks detected by Kaspersky Lab in 2017 targeted Android vulnerabilities
- 1 in 5 businesses that experienced an external security breach attributed it to mobile malware, according to a Forrester Research survey
- Approximately 140 percent more iOS vulnerabilities and 61 percent more Android vulnerabilities were disclosed in 2017
- McAfee reported a 60 percent increase in mobile banking Trojans in 2017
These findings show that attackers are targeting mobile devices and in many cases, it’s working. Additionally, despite their best efforts and great strides made each year, neither Google nor Apple will ever make Android or iOS completely secure. Even mobile apps that interface with critical infrastructure (i.e., high-value targets) are not as secure as you might think and are actually less secure than they were two years ago.
My point is not that we are doomed. We just need to think twice about assuming a mobile app is secure or that someone else is taking care of it. The mobile channel is too important. So what can we do?
Make Mobile App Security Easy for Developers
Developers sometimes perceive security as an obstacle to surmount rather than a way to protect their hard work and their users. That doesn’t mean they don’t care about security. They are facing a never-ending queue of executives, line-of-business owners and product managers (not to mention users) demanding more features, more quickly – and if the DevSecOps survey is an indicator, 50 percent simply run out of time for security.
The ideal solution is app security technology and practices that make efficient use of developers’ time and that integrate into existing processes and workflows wherever possible. A comprehensive mobile app security program is built on a combination of the following:
- Educating developers about secure coding on a regular basis
- Including security in the product requirements
- Integrating frequent, automated security testing earlier in the development lifecycle, when vulnerabilities are easier and less expensive to fix
- Conducting periodic penetration testing on the mobile app
- Strengthening the app with additional protection in untrusted environments with app shielding technology, including runtime application self-protection (RASP)
While app shielding with RASP is only one part of a complete app security program, it is a simple, proven way to make security easier and more efficient for developers. RASP automates the proactive detection and mitigation of attacks on an app during runtime to protect against zero-day threats, targeted attacks, sophisticated malware, code injection, reverse engineering and more.
Organizations can natively integrate these security benefits into Android and iOS apps with ease, enabling developers to focus on creating an optimal user experience while also accelerating time-to-market. RASP implementation is typically automated (music to a developer’s ears), and once integrated, RASP safeguards the app and quickly binds itself to the code.
There is no single fix for the mobile app security problem. But, giving developers security technology that integrates with their existing workflows and helps make the most efficient use of their time, is a strong first step toward a more holistic solution.
For more information about seamless mobile app security with RASP, download:
Runtime Application Self-Protection Is Critical for Mobile App Security
This is a Security Bloggers Network syndicated blog post authored by Samuel Bakken. Read the original post at: VASCO Data Security – Blog