Organizations that build or maintain mobile applications have a greater responsibility than ever to secure their applications as the number of application downloads continues to grow.
3.8 billion smartphone users accounted for 218 billion app downloads in 2020 alone.
Zimperium conducted a survey last year in which 250 enterprises described the security issues they struggled with the most within their mobile applications.
The greatest security issue with applications for Android was lacking runtime protection at 93% while this data point was at 79% for iOS. Where iOS struggles was in lacking code protection at 94% while it is only 63% on Android.
The two other most common issues were vulnerable encryption for which both application types hovered around 50%, while the lack of data protection sat at around 26-38% for both device types.
The survey found that enterprises were concerned with the right things, such as ensuring data is securely stored and transmitted and ensuring proprietary source code cannot be stolen, but the fixes for these concerns were not being focused on enough, Krishna Vishnubhotla, VP of product strategy at Zimperium, said during a recent SD Times Live! webinar “Top Five Best Practices for Mobile DevSecOps.”
The reason is a lot of the companies fear that implementing security solutions can make the user experience suffer and slow up development or make it difficult to use. However, this can be mitigated by asking questions from the vendor to see whether the challenges or concerns can be minimized or removed.
“People tend to look at mobile and they think it’s a contained environment. There’s this feeling of it being a little bit more secure than your desktops,” said Adam Wosotowsky, principal data architect at Zimperium. ”It really surprised me just how not true that is. From a security perspective, they have existing security wrapped around their app, and therefore they think they don’t have to worry about it quite as much. But the problem is all of that security can be pretty easily bypassed.”
To bolster security organizations should be looking to:
- Ensure security still works when an attacker controls the device
- Limit the pool of people who can successfully hack your app
- Never let your encryption keys appear in plain text
- You need threat visibility once you publish the app
- Think like a hacker – Apps are windows into your infrastructure
To learn more, watch the SD Times Live! webinar “Top Five Best Practices for Mobile DevSecOps.”