Mobile app developers at DeveloperWeek 2018 were asked: “Is mobile app security important to you, and if so, what are you doing about it?”
Most developers readily agreed that security is important. However, when pressed for more detail, many could not describe the specific measures taken to protect their mobile apps against the latest threats – and most replied that security is actually someone else’s responsibility.
“DevSecOps: Early, Everywhere, At Scale,” Sonatype’s 2017 DevSecOps survey of 2,200 IT professionals reveals that their response is a common one. Sonatype found:
- 76 percent of respondents reported that their developers did not make security a priority,
- 50 percent of respondents said their developers don’t have time for security,
- 17 percent believed it to be someone else’s responsibility, and
- 9 percent of respondents reported they simply didn’t focus on security at all.
This begs the question: if an organization’s mobile app developers can’t explain just how the apps they develop are secured, then are those apps actually secure? Or are they and their users just assuming that they are?
Embracing A False Sense of Mobile App Security
The mobile channel is of course extremely important. It drives customer growth, keeps existing customers engaged and satisfied, and grows revenue. However, assuming that security is someone else’s job creates a false sense of security. Consider that:
- Approximately 140 percent more iOS vulnerabilities and 61 percent more Android vulnerabilities were disclosed in 2017
- McAfee reported a 60 percent increase in mobile banking Trojans in 2017
- 27 percent of all attacks detected by Kaspersky Lab in 2017 targeted Android vulnerabilities
- 1 in 5 businesses that experienced an external security breach attributed it to mobile malware, according to a Forrester Research survey
These statistics underscore that attackers are targeting mobile devices and – in many cases – it’s working. Despite their best efforts and great strides made each year, neither Google nor Apple will ever make Android or iOS completely secure.
The point isn’t that we (or our apps) are doomed. But it’s time to think twice about just assuming that a mobile app is secure, or that someone else is taking care of its security. Mobile users and the mobile channel deserve better.
Making Mobile App Security Easier for Developers
Unfortunately, developers can see security as an obstacle to surmount rather than a way to protect their users and their own hard work, but that doesn’t mean they don’t care about security. More likely, they are working with a steady stream of executives, line-of-business owners and product managers (not to mention users) who are demanding more features, more quickly – and if the DevSecOps survey is an indicator, 50 percent simply run out of time for security.
The ideal solution is app security technology and practices that make efficient use of developers’ time and that integrate into existing processes and workflows wherever possible. A comprehensive mobile app security program is built on a combination of the following:
- Educating developers about secure coding on a regular basis
- Including security in the product requirements
- Integrating frequent, automated security testing earlier in the development lifecycle, when vulnerabilities are easier and less expensive to fix
- Conducting periodic penetration testing on the mobile app
- Strengthening the app with additional protection in untrusted environments with app shielding technology, including runtime application self-protection (RASP)
While app shielding with RASP is only one part of a complete app security program, it is a simple, proven way to make security easier and more efficient for developers. RASP automates the proactive detection and mitigation of attacks on an app during runtime to protect against zero-day threats, targeted attacks, sophisticated malware, code injection, reverse engineering and more.
Organizations can natively integrate these security benefits into Android and iOS apps with ease, enabling developers to focus on creating an optimal user experience while also accelerating time-to-market. RASP implementation is typically automated (music to a developer’s ears), and once integrated, RASP safeguards the app and quickly binds itself to the code.
There is no single fix for the mobile app security problem. But, giving developers security technology that integrates with their existing workflows and helps make the most efficient use of their time, is a strong first step toward a more holistic solution.
About the Author: Samuel Bakken is Senior Product Marketing Manager responsible for the VASCO Data Security mobile app security portfolio.