Security and the rapidly growing importance of mobile apps
By Tom Tovar
Organizations are under more pressure than ever before to rapidly produce both new apps and updates to existing apps, not only because it’s essentially the only way they can interact with their customers, but also because there will be a flood of new users who previously relied on physical locations to conduct their business. Continuous mobile development is now more critical than ever, and organizations must provide error-free, engaging user experiences.
In the rush to deliver intuitive apps that will capture customer attention and loyalty, it’s likely that security will take a backseat to features and functionality. According to the Verizon Mobile Security Index 2020, 43% of organizations said they knowingly cut corners on mobile security in 2019 to “get the job done.” And that was before the global pandemic.
Features trump security – until they don’t
It’s not hard to understand why developers would make this choice. Mobile users rarely look into security as a reason to use an app; features and functionality rule the roost. Plus, implementing security is time consuming and expensive. Getting first to market is a huge competitive advantage, so no one wants to delay their delivery schedules. Even worse, iOS and Android security specialists are scarce and in high demand. Development teams may lack the skills to secure their apps properly.
But developers will find that, eventually, skimping on security will come back to bite them. Features will always trump security – until they don’t. And with the pandemic causing a spike in usage, all these new users will likely shine a light on security flaws that cybercriminals and hackers will exploit. For example, when Zoom rapidly became the de facto conferencing app for businesses and educational institutions around the world, the sudden crush of millions of new users exposed security flaws that had previously gone unnoticed and unaddressed. To their credit, Zoom acknowledged the problems and took quick action to address them, but their experience should serve as a warning for all organizations.
Security flaws can contribute to far more dire consequences. For example, there’s little doubt that Travelex, which bill itself as the world’s largest retail currency dealer, was seriously damaged by a ransomware attack on New Year’s Eve, which forced it to take down its website in at least 30 countries. The company is now reportedly preparing for bankruptcy and seeking a buyer.
Organizations cannot afford for consumers to doubt the security of a mobile app when that app is, in some cases, the only revenue generation engine they have left. Brands today no longer have the luxury of putting features above security.
Implementing app security in a fast-paced digital world
So, what should businesses do? If development teams opt to take on the task of security themselves, they should at the very least make sure they are addressing each of the OWASP Mobile Top Ten vulnerabilities. This will be a struggle for many organizations unless they have mobile security professionals embedded in their development teams, and as I mentioned earlier, mobile security professionals are in short supply.
Other development teams will look to integrate security software development kits (SDKs) into their apps that provide security. This is a much more efficient option than manually coding security into an app, but it’s still not a trivial exercise to manually integrate an SDK. Plus, it’s critical to vet the SDKs a team uses, as rogue and vulnerable SDKs are a serious problem in the mobile app industry.
For example, Tushu and Twoshu SDKs infected hundreds of apps on Google Play last year, enabling cyber criminals to mount mobile ad fraud schemes. Other SDKs introduced vulnerabilities, such as Adobe’s Mobile SDK. If organizations go this route, it’s a good idea to hire a security consultant to vet the security SDKs for potential flaws and to evaluate their ability to protect an app. Finally, organizations are increasingly turning to security automation through artificial intelligence to harden and protect their apps. This option has the advantage of being very fast, as AI can implement security in minutes without needing source code at all, and it’s inexpensive when compared to manual coding.
As an additional benefit, automation always builds security in the same way, which provides brands with an auditable guarantee that the security posture was implemented according to the requirements of the organization, unlike manual implementations. The pandemic and associated lockdown have accelerated the move toward mobile as the primary way customers interact with businesses, so time is of the essence. The winners in this new digital world will be the app makers and security providers who can quickly and reliably deliver apps that delight the customer while also remaining safe and trustworthy.