In 2021, the number of smartphone users in the world is 6.378 billion, translating to 80.69% of the world’s population. The large user size has made mobile phones the new prey of choice for hackers.
Yet, mobile app developers are not spending more on securing mobile apps. According to a 2016 report on mobile security by Intertrust, $34 million was spent annually on mobile app development while only $2 million was spent on app security. To further support the point, Verizon’s 2020 Mobile Security Index shows 43% of organizations sacrificed mobile security in the past year, with many mobile app development teams being asked to prioritize time to market over security.
What is Mobile App Security?
Mobile app security is the measure to secure mobile applications from external threats like malware, hacking or other criminal manipulations that may put possible risk to personal and financial information available in the mobile (e.g. banking information, current location).
What is Happening Now and Why Should Users be Concerned?
Mobile apps now play an integral role with many businesses and users relying on them for various activities such as work, education, entertainment and more. Mobile app security has become more important than ever before. Recently, security researchers at Threat Fabric discovered a batch of apps downloaded from the Google Play Store more than 300,000 times to be banking trojans, stealing user passwords and two-factor authentication codes. The misconception that every app on Google Play Store and Apple Store is safe and legitimate may no longer be true. App developers need to understand their role in app security and how a user or business data can be put at risk when the apps developed do not meet the security standards.
What are App Developers Risking when Their Developed Apps are Not Secured?
Mobile apps carry their own set of vulnerabilities. As developers, you hold the responsibility to step up and think ahead of unintended consequences when it comes to app security, and this includes identifying the common mobile app security threats and how to counter them.
Code Injection
Code injection – the execution of malicious code on mobile devices via a mobile app. Consider a login form that does not have any input restrictions, giving hackers the opportunity to enter any character or even JavaScript code snippet to compromise user data.
Data Leakage
Mobile apps typically need to access or transmit data across the network, which exposes user data. An example is the once wildly popular Angry Birds game, labeled as a “leaky” app that NSA had tapped on to gather large amount of personal data – including age, gender, location and more.
Security Decisions via Untrusted Inputs
Developers may assume that inputs such as cookies, environment variables and hidden form fields cannot be modified. However, these inputs can be modified by an untrusted actor. When security decisions such as authentication and authorization are made based on these inputs, attackers can bypass the app’s security to bring harm to the business and users.
Insufficient Transport Layer Protection
When designing a mobile app, data is commonly exchanged in a client-server fashion, flowing between carrier networks and the internet. Applications without enough measures to protect data exchange in the network traffic, failing to authenticate and encrypt sensitive network traffic, open up opportunities for hackers to view this sensitive data while in transmission.
Listed above are just some threats app developers are currently facing. As new technologies continue to develop, developers are likely to face new challenges and app protection needs to be continuously updated to keep up with the latest security threats. In the next article, we will discuss what we can put in place to counter the challenges and secure our enterprise apps.
References:
https://www.bankmycell.com/blog/how-many-phones-are-in-the-world
https://owasp.org/www-project-mobile-top-10/2014-risks/m3-insufficient-transport-layer-protection
https://www.informationweek.com/mobile-applications/mobile-app-development-5-worst-security-dangers