The state of Mobile App Security

November 13, 2017 Shravanthi Reddy

According to Gartner, more than 75% of mobile apps fail basic security tests. And as per Microsoft’s 2016 Trends in Cyber security, 44.2 percent of all disclosed vulnerabilities are found in applications other than web browsers and operating system applications (mainly mobile apps).

The estimated annual cost of mobile cyber breaches is around $50 billion, globally, and this number is increasing every year.

In June 2017 alone, over 1,000 Android and iOS enterprise apps were reported to have unsecure communication between the apps and their backend systems. Around 43 terabytes of data were exposed, with at least 39 affected apps leaking 280 million records of personally identifiable information (PII). A study in 2016 found that 90% of scanned healthcare and finance-related mobile apps had major security flaws.

So what can be done to improve mobile app security? Here are a few ways to mitigate the risk:

Mobile app security tip #1: build a secure API

It’s the lifeblood that underpins the core functions of your app and how data is stored. APIs are also the framework used for accessing backend services and various other applications for users, all of which entail authentication and authorization. If you do most of the integration on the backend, you’re better off you can control what gets sent to the phone, and it also helps with cross-platform development and application performance.

Mobile app security tip #2: secure the code

Even before a vulnerability is exploited, attackers can obtain a public copy of an application and reverse engineer it. Popular applications are repackaged into “rogue apps” containing malicious code and are posted on third-party app stores to lure and trick unsuspecting users to install them and compromise their devices.

Enterprises should look for tools to aid their developers to detect and close security vulnerabilities and then harden their applications against reverse engineering and tampering.

Mobile app security tip #3: secure the transiting data

Data in motion is any data that is being transmitted to or from a mobile device across a wireless network. If a username or password is transmitted to a server in plain text, then there is almost no reason to have the password since reading plain text off of a wireless network is very easy to do. Therefore, encrypting data being transferred is really the only option. Most secure mobile applications use Security Socket Layer (SSL) as the encryption method. SSL is a point-to-point secure channel; it does not secure the data end to end.

Enterprises can employ other means of securing their data transfer such as Virtual Private Networks (VPNs) to Mobile Application Management Systems (MAM).

Mobile app security tip #4: secure the server

More and more mobile applications are storing all or part of their data on servers either in a Mobile Backend as a Service (MBaaS) or in private data centers. As long as the servers are secure, this is a safer way of storing protected data.

Security Socket Layer (SSL) protects the data in transit, but once the data gets to the server, it has to be encrypted again for storage. As with data stored on a mobile device, securing the private key is a concern that needs to be addressed. A universal private key, controlled by the data service, can encrypt the data. The security hole with this method is if the one and only private key gets discovered, hackers can gain access to everyone’s data.

A more preferred approach would be to create a unique private key for each user of the application. This will limit the exposure if a single private key gets discovered.

Conclusion

Mobile users demand uncompromised convenience and intuitive functionality on all devices. At the same time, enterprises must prevent confidential customer information from getting into the hands of malicious adversaries who view the mobile environment as an irresistible opportunity.  Mobile app security must be critical element of an effective fraud prevention strategy for any Enterprise App development team.

Securing the mobile app is all about finding a balance between usability and mitigating risk. An appropriate mobile security framework will enable enterprises to reap the benefits of productivity and at the same time protect all the confidential information. Invest in a mobile app development solution with broad set of services specifically designed to improve application level security.

The post The state of Mobile App Security appeared first on API Friends.

Previous Article
The (Not So) Common Criteria Certification
The (Not So) Common Criteria Certification

Complimentary article from my colleague Daniel Wille, Senior Manager, Presales Consulting, US Federal at Ax...

Next Article
API Management weekly digest – Nov 10th
API Management weekly digest – Nov 10th

This week: Talend acquires Restlet, a leader in Cloud-Based API Design and Testing; Axway annual virtual Sp...