Why is Mobile App Security “Shifting Left?”

Mobile developers have looked towards DevSecOps to seamlessly close the security risk gap without introducing cumbersome security processes.


As COVID continues to ravage the globe, companies across industries have pivoted to moving brands and employees online and onto mobile devices through mobile applications. Since many of these companies have chosen to prioritize the user experience and time-to-market for a variety of reasons, mobile application security has fallen behind.

In fact, Verizon’s 2020 Mobile Security Index revealed that 43% of organizations sacrificed mobile security last year to focus on speed and other development goals. With the lack of app security gaining the spotlight, mobile developers have looked towards DevSecOps to seamlessly close the security risk gap without introducing cumbersome security processes.

What is the “Shift Left” Security Trend?

In the DevSecOps world, shifting left means implementing application security early in the continuous integration and continuous delivery (CI/CD) pipeline using developer-friendly security tooling. This differs from mobile development in the past where security was more of an afterthought compared to time-to-market and user experience.

Rather than reactively dealing with security issues found in production, many mobile developers are now proactively scanning for vulnerabilities prior to deployment. Some mobile developers are integrating security through the entire development process to achieve a secure software development lifecycle (SSDLC).

The idea of shifting left has already taken hold in enterprise application development, where many organizations operate in highly regulated industries with strict privacy and security requirements. The objective is to address Application Security concerns in the same manner as Quality Assurance, where it has long been recognized that detecting issues earlier in the development cycle can save significant time and money. That’s because IP theft, data loss, and reputational damage from a security flaw can become costly for any software or mobile app company if they’re only addressed after the app is deployed.

As more mobile app developers—especially in the areas of mobile banking, fintech, and retail—recognize the importance of security, they’re beginning to integrate more security tooling into their development pipelines. While some of these organizations are making the change because their apps have already been compromised, others are being proactive by adopting additional security measures to comply with more stringent regulations and protect their intellectual property, revenue, brand reputation, and sensitive data.

Adopting a Secure Development Pipeline

While most enterprise application developers have adopted a DevSecOps mindset already, mobile developers often have the perception that security will slow them down. By shifting left, however, companies can ensure mobile developers have an understanding of their role and responsibility for application security without impacting time-to-market.

During the development stage, code hardening is crucial for protecting mobile apps against reverse engineering and other exploitations. Code hardening techniques involve using obfuscation and encryption to make it more difficult for malicious actors to understand the inner workings of an application. That way, mobile app developers can prevent the use of decompilers or dissemblers to steal proprietary code, harvest sensitive information, or repackage the app with malicious code.

When mobile apps are in the testing phase, companies can use penetration testing to actively seek out vulnerabilities within the application’s security. Mobile app developers can also use automated security testing—both static application security testing (SAST) and dynamic application security testing (DAST) tools—to scan for potential issues in the source code and application execution. There are even mobile application security testing (MAST) tools that are optimized for the specific types of threats mobile apps are exposed to in the wild. Integrating these tools as part of the CI/CD pipeline can improve application security without additional manual effort by developers.

Once the application is deployed, mobile app developers can also use runtime application self-protection (RASP) to defend against live attacks after deployment. These RASP mechanisms monitor the mobile app for suspicious activity and react in a pre-programmed manner. Along with RASP, real-time threat monitoring can also help improve visibility into common attack vectors after apps have been published.

In the end, mobile DevSecOps requires multiple layers of security integrated throughout the SSDLC to achieve comprehensive security coverage. That said, shifting left and considering security earlier in the development process can greatly reduce the time, effort, and cost of security issues in the long run.


Grant Goodes is Chief Scientist for GuardSquare. More than 650 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking.

Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications, hardening them against both on-device and off-device attacks. With the addition of ThreatCast, its mobile application security console, Guardsquare offers the most complete mobile application security solution on the market today.