Apps are Increasingly Crucial to Businesses, But Their Security Remains Underfunded.
By Peter R. Kelley
In “The State of Mobile App Security in 2022,” Osterman Research and mobile app API experts Approov reveal significant vulnerabilities and security concerns with production mobile apps, and in particular, with the APIs that these apps depend upon to interact with data sources and resources, leaving both the company and their customers exposed to threats and attacks.
“Mobile apps are key channels through which businesses serve their customers, and their importance to organizations has tripled in the last two years,” said Michael Sampson, Senior Analyst, Osterman Research. He notes that while enterprise app development and deployment are among an organization’s highest priorities, “Unfortunately, the runtime security of the app, its API secrets and the user data collected do not receive similarly high prioritization and budget. These findings raise serious questions, given that so many recent breaches have highlighted the risk of stolen keys and secrets being exploited by threat actors.”
A survey of more than 300 U.S. and U.K. app developers and security pros revealed that more than three-quarters of respondents lack confidence in their organization’s ability to protect against specific threats. They’re not fully confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.
A major source of concern is the third-party APIs that are used in most mobile apps: they’re not well tested for security and often provide an attractive onramp for attackers. Most mobile apps use an average of 30 third-party APIs, which are rarely pen tested. Moreover, half of the mobile developers surveyed said they are still storing API keys in the app code, which offers a large and unprotected potential attack surface.
Another major issue is the lack of visibility into attacks and threats. For example, more than half of those surveyed said they were unable to detect credit fraud attempts, fake accounts, credential stuffing attacks, data theft, attempts to use stolen API keys to mimic genuine requests, or the exposure of app “secrets.”
Given the increasing criticality of mobile apps to businesses, it’s surprising that mobile app security is under-resourced when compared to other enterprise cybersecurity areas, but the research finds that to nonetheless be the case. Mobile app cybersecurity spending is still most heavily directed towards pre-production priorities, despite the fact that mobile app threats continue to evolve rapidly. Study authors agree that secure development practices are essential but offer only partial protection: The current “shift left” prioritization does not eliminate the threat of runtime attacks against mobile apps and APIs. Runtime protection remains an obvious but under-budgeted priority.
“Although mobile apps are an increasingly critical conduit for both commerce and communications, investment in runtime protection of apps and APIs continues to take a back seat. Moreover, poor practices continue unabated, such as the storing of hard-coded keys in a mobile app or device, which exposes app secrets to increasingly clever threat actors,” said Approov CEO David Stewart. “Given that mobile apps and APIs are increasingly the lifeblood of organizations, the practices and resource allocation towards runtime threats must be reconsidered – and quickly – before yet another wave of major mobile app breaches exposes both organizations and their customers to the damage and continual loss that inevitably result.”
“The State of Mobile App Security in 2022” and registration for a July 26 webinar on the findings are available at https://approov.io/for/state-of-mobile-app-security-2022/