It’s common knowledge that the pandemic pushed businesses across the board to build out their digital tools at hyper-speed. By the end of 2021, consumer downloads of mobile health and business apps increased by 187% and 102% respectively, compared to pre-pandemic levels.
The pressure to rapidly release new mobile apps with new features and continuously improve the in-app user experience has remained high throughout 2022. With development teams being understaffed and overcommitted, they often have to make tradeoffs between getting their app to market quickly, delivering a great user experience, and mobile application security. Dev teams often deprioritize or push security to the end of the software development lifecycle which, unfortunately, can result in delays as developers need to revisit code developed weeks – or sometimes months prior. Many times, developers are forced to rely on the mobile operating system for protection.
When it comes down to it, 81% of developers believe iOS and Android standard security measures aren’t sufficient to protect mobile apps. And they’re not wrong. As security gaps in mobile applications already on the market are uncovered, businesses will increasingly recognize the need to prioritize mobile application security by incorporating security testing throughout the development process, taking a multi-layered approach to protecting their app and leveraging real-time monitoring to understand and address threats to their mobile app once live.
Mobile app vulnerabilities recently exposed
Looking beyond big data breaches of the past year, companies such as Symantec and Comparitech have uncovered vulnerabilities in popular tools used in the development of thousands of mobile apps on the market which have left businesses exposed.
One example is the more than 1,800 publicly available iOS and Android apps that were found to contain hard-coded AWS credentials. 77% of those embedded AWS access tokens allowed access to AWS cloud services and nearly half allowed access to private files stored in the Amazon Simple Storage Service. A B2B company that offers an intranet and communication platform fell victim to this error, exposing more than 15,000 customer corporate and financial records, the personal data of employees, and intranet files.
In May of this year, we also learned that as many as 24,000 mobile apps using Google Firebase were not properly secured, allowing anyone entry to databases containing users’ personal information and other sensitive data. To make matters worse, some search engines are indexing Firebase database URLs, making it easier than ever for threat actors to find and exploit these weaknesses.
As we head to 2023, the burden will remain on DevSecOps to adapt to new security demands. As mobile app vulnerabilities with far-reaching implications are exposed at a faster pace, mobile app security will begin to weigh more heavily against the pressure to quickly launch new and more feature-rich mobile apps.
In the examples of AWS access tokens and Google Firebase, fundamental elements that developers used to build their mobile apps had vulnerabilities baked into them, making them easy targets for exploitation. While it may take months or years before we know the full extent of the damage, we do know the impact could have been mitigated through incorporating mobile app security testing and remediation before the apps were deployed.
In 2023, security and development teams will need to work more closely together to build mobile app sec testing into dev workflows and to extend the organization’s greater security policies to include the mobile app infrastructure, not just the finished product.
What companies can do to secure mobile apps
In our experience, developers are willing to check the security posture of their mobile app early and often when they have access to non-intrusive, effective tools. To maintain development momentum, developers should seek tools that can seamlessly integrate into their existing workflows.
Mobile app security testing tools, which can scan an app and offer actionable recommendations within minutes, are an ideal step in identifying security risks. Additionally, developers should implement a multi-layered code protection solution to avoid a single point of failure. In addition to hardening the code, developers need to consider adding runtime application self-protection (RASP) checks to thwart attackers using runtime tools to obtain insights into the application code during execution to reverse engineering and tamper with their mobile apps.
Threats to mobile applications are rapidly evolving, and developers will need to prioritize mobile app security in 2023 to protect their organization’s revenue, IP, and brand reputation.
Giovanni Mancini, director of product marketing, Guardsquare