Mobile apps are juicy targets for hackers. Consider the rich data that is captured by a mobile device, including call logs, SME messages and location information. Then, consider the rapidly evolving mobile platforms and frameworks that are new to many development organizations.
It is no surprise that many mobile applications contain serious security vulnerabilities. If those security issues allow hackers to compromise your users’ personal data, it won’t be easy to regain customer trust or rebuild your organization’s reputation.
Let’s review some frightening trends:
- The average company tests fewer than half of the mobile apps it builds, according to a recent IBM/Ponemon report. And a stunning 33% never test their apps.
- A leading industry analyst predicted that two-thirds of mobile applications will fail basic security tests this year.
Web application vulnerabilities can often be mitigated quickly by deploying a patch to an application server. However, once mobile apps are released and downloaded to devices, it becomes much more difficult to distribute security updates and to ensure that the latest versions are installed on all devices. The best way for mobile app providers to lower the risk of a security breach is to create secure apps in the first place.
What is holding back companies from securing their mobile applications? In our mobile practice, we find customers need to overcome four major hurdles:
- Fear of impacting the mobile user experience. Even though consumers want their personal data to stay safe, they dislike security features that get in the way of accessing features and completing transactions. For example, even though most web applications can ask users to re-authenticate regularly, users generally expect to authenticate to mobile applications once and have the applications manage their credentials/sessions. The user interface limitations on mobile devices make it difficult to design usable applications that are also secure. As most organizations don’t want to limit features or cause their customers to abandon transactions mid-flow, many skip security concerns altogether.
- The need for speeding mobile app development. In the competitive mobile marketplace, organizations – especially those using continuous improvement or DevOps to achieve rapid release cycles – are driven by speed. They don’t want to slow development for security tests and certainly don’t want a security team to send code back to developers to fix and delay launches.
- Lack of training for mobile app developers. Many mobile developers are self-taught or have received little formal training. If mobile development training does include security, it quickly becomes out of date due to the rapidly evolving mobile platforms and frameworks. This is of course not the developers’ fault. There are a lot of new things to know when it comes to mobile application development. The security concerns for mobile websites, native applications (for various mobile platforms) and hybrid applications (developed using various cross-platform development frameworks) are very different. Moreover, security controls available for internal employee apps are very different than the security controls available for external public facing apps. It seems that new mobile development frameworks and mobile security tools/services pop up every day, and it is difficult for developers to stay on top of things.
- Using web-focused tests for mobile needs. Many mobile app providers do test their applications to some degree, especially if they are used to conducting penetration tests on other types of applications. For example, they may run a web application scanner against the web services used by a mobile app. Unfortunately, traditional testing tools and techniques are not sufficient for testing mobile apps because they miss critical client-side vulnerabilities in mobile apps.
Overcome the security challenges of creating mobile apps
With the right tools and resources it is possible to design secure mobile architectures and create secure mobile code that doesn’t impact the user experience or slow down development.
- Applications need to be architected and designed for mobile platforms instead of designing applications for the web and treating mobile platforms as an afterthought.
- Mobile-specific static and dynamic tests help you assess the specific risks facing mobile apps, including misuse of platform-specific features and sensitive data storage.
- Developers can check for insecure code directly in their workflow so that they can find common errors and fix them right away.
- Security training courses that are geared toward mobile developers increase their knowledge and give them hands-on secure coding practice.
Synopsys’ mobile experts have helped customers of all types implement a proactive approach to security that helps them identify, remediate and prevent vulnerabilities in their mobile apps.
Have a question for our mobile security practice? Let us know how we can help your mobile development team.