Mobile apps give field workers, healthcare practitioners, remote teams, retail and restaurant associates the ability to access tools and collect data right where it’s needed. But mobile app security can put those organizations at risk for data loss, malware infection, spyware, and other cyberthreats.
Eric Lafortune, Co-Founder and CTO of mobile application security firm, Guardsquare, shares his insights about why mobile application security continues to be an issue in an increasingly mobile world.
What are some of the demands that software developers are under, which could lead to mobile application security vulnerabilities?
Lafortune: The entire world is going online, and mobile phones are the hubs of people’s online lives. Companies are under pressure to go mobile, and software developers are under tremendous pressure to deliver these mobile apps.
The expectations for mobile apps are high: a great user experience in the first place, with a beautiful user interface, smooth and intuitive use, seamless integration between services. Security is often at odds with a great UX. For example, users don’t like entering security codes. Security is often secondary to UX, largely because it is invisible (until something goes wrong and makes the news).
Also, mobile technology is complex to begin with, and security only adds complexity. Moreover, few developers are security experts. Still, they need to get everything right, under time pressure. A single attacker only needs to find a single vulnerability, with the help of increasingly sophisticated tools. This is an arm’s race, with attackers at an inherent advantage.
Why does inadequate mobile application security create a security risk for the organization?
Lafortune: There are two basic reasons:
- Web applications mostly run on servers, which can be monitored more rigorously. Mobile apps, on the other hand, run the users’ own devices, outside the control of the providers, between other apps for entertainment, administration, health, etc. They are most vulnerable to man-at-the-end attacks (MATE).
- Mobile apps have become predominant, and they contain valuable information, so they are attractive targets.
What factors are contributing to security being more of an afterthought than something built into applications from the beginning of a development project?
Lafortune: In addition to time pressures, software development teams may not prioritize security over other features of the application, or leadership at the organization may lack understanding about the need for security and focus on other aspects of their businesses.
Software developers are learning to “shift left” to ensure quality early and throughout development cycles. How can they do the same with security?
Lafortune: They need to focus on what mobile platforms provide out of the box, e.g., source reviews that also check basic security issues.
They may also find value in looking at what modern libraries provide out of the box, e.g., SSL pinning for secure communication.
Focus on Addressing OWASP’s Mobile Top 10
If your team needs resources and information on mobile application security, you can turn to the OWASP Mobile Security Project, which provides best practices and security requirements for mobile applications. Runtime application self-protection (RASP) and code hardening are both crucial to defending against OWASP’s Mobile Top 10. Read more in the Guardsquare blog.