Organizations that create or maintain mobile apps have more responsibility than ever to secure their apps as the number of app downloads continues to rise.
3.8 billion smartphone users accounted for 218 billion app downloads in 2020 alone.
Zimperium conducted a survey last year in which 250 companies described the security issues they faced the most in their mobile apps.
The biggest security issue with apps for Android was lacking runtime protection at 93%, while that data point was at 79% for iOS. Where iOS struggles is that it lacks code protection at 94% while it’s only 63% on Android.
The other two most common issues were vulnerable encryption where both app types hovered around 50%, while lack of data protection hovered around 26-38% for both device types.
The survey found that companies care about the right things, like making sure data is stored and transmitted securely and making sure proprietary source code can’t be stolen, but patches for those issues aren’t weren’t focused enough on, Krishna Vishnubhotla, vice president of product strategy at Zimperium, said during a recent SD Times Live! online seminar “The Five Best Practices for Mobile DevSecOps.”
The reason for this is that many companies fear that implementing security solutions will harm the user experience and slow down development or make it difficult to use. However, this can be mitigated by asking the supplier questions to see if the challenges or concerns can be minimized or removed.
“People tend to look at mobile and they think it’s a confined environment. There’s this feeling of being a bit more secure than your desktops,” said Adam Wosotowsky, Principal Data Architect at Zimperium. “It really surprised me how untrue that is. From a security perspective, they have existing security around their app, so they think they don’t have to worry about it as much. But the problem is that all this security can be bypassed quite easily.
To enhance security, organizations should seek to:
- Make sure security still works when an attacker controls the device
- Limit the number of people who can successfully hack your app
- Never let your encryption keys appear in plain text
- You need threat visibility after you release the app
- Think like a hacker – Applications are windows to your infrastructure
For more, watch SD Times Live! webinar “The five best practices for mobile DevSecOps”.