Mobile app security

What is mobile application security?

Mobile app security is a set of best practices, technologies, and features added to an organisation’s mobile app to help prevent and remediate threats from cybercriminals. This includes application hardening to obscure coderuntime application self-protection (RASP), and white-box cryptography to encrypt critical data and keys. Mobile application security can also refer to the extent of protection that mobile apps have from cyber threats.

Why do you need app security for mobile apps?

Cyberattacks on mobile apps are on the rise, with organisations reporting steadily growing compromises. Attacks on your mobile apps can have devastating consequences, including stolen user data, compliance violations, a potentially permanent impact on a brand’s reputation, and ongoing financial losses. Application security increases operational efficiency, addresses compliance requirements, reduces risks, and improves the trust between a business and its customers.

Security threats for mobile apps

As mobile apps have code that can be inspected, and are available to download from public stores, they have a greater attack surface than web apps. Combine that with the amount of user data they can collect, and this leaves us with very attractive targets for cybercriminals.

About 90% of applications have serious vulnerabilities. OWASP, which regularly analyses weaknesses and attacks on mobile applications, has compiled its OWASP Mobile Top 10, the list of the most dangerous vulnerabilities:

  • Improper platform usage
  • Insecure data storage
  • Insecure communication
  • Insecure authentication
  • Insufficient cryptography
  • Insecure authorisation
  • Client code quality
  • Code tampering
  • Reverse engineering
  • Extraneous functionality

The OWASP vulnerabilities list serves as a starting point for organisations, developers, and security professionals. It comes with examples of attack scenarios and recommended mitigation strategies. Common mobile app attack scenarios include credential harvesting, man-in-the-middle (MITM) attacks, malware, financial fraud, circumvention of security mechanisms, extraction of keys and secrets, intellectual property theft, repackaging, cloning, and tampering.

Mobile app security testing

Applications process, store, transmit, or enable access to sensitive data, such as customer information and intellectual property. It is vital to put apps through the rigours of security testing. Mobile security testing should include testing of the operating system (e.g. iOS or Android), application backend (e.g. web services or APIs that transmit data from the app), as well as the encryption between them.

The goal of mobile app security testing is to ensure the ecosystem is protected and fully compliant with regulatory requirements, such as PCI DSS and GDPR. The testing may be both manual and automated (mobile vulnerability scanning).

Business productivity app security

Using custom mobile business apps can greatly improve productivity for employees and partners by allowing easy access to corporate IT assets. But what about security? When hackers attack enterprise-level apps running on unmanaged devices, they can compromise a lot of sensitive company information, including employee logins, trade secrets, and customer data. Unsecured productivity apps may pose a significant threat to businesses, similar to any customer-facing app running in the wild.

Mobile device management (MDM) has been a traditional means for overcoming these threats. However, a growing network of non-employees with app access, as well as the intrusive nature of MDM, means businesses need to take further steps to secure their apps. Application shielding, which comprehensively protects your business productivity apps, provides extra layers of security.

Two-factor authentication is an absolute must-have in any business productivity app, and login information should be the only thing the app requests in the login form. Businesses should onboard productivity apps to a mobile app management platform and inspect them to ensure they are free of malware and privacy risks. It is also recommended that corporate-branded app stores distribute all productivity apps to maximise control.

Tools for protecting mobile apps and best practices

Both Google and Apple offer useful best practice guides for mobile apps. The Open Web Application Security Project® (OWASP), a non-profit foundation that works to improve software security, is another useful source of information. Its Mobile Security Project provides security checklists, tools, testing manuals, as well as other resources needed to build and maintain secure mobile applications.

Developers typically implement mobile app security from the outside in. In most cases, this involves defining a virtual perimeter around apps or valuable assets. Promon recommends protecting your apps from the inside out. Server-side infrastructure does not provide enough protection, and reliance on the security architecture of mobile operating systems could leave your app vulnerable. Application shielding comprehensively protects your apps, identifying threats that other security solutions may overlook.

Mobile app security best practices

Developers typically implement mobile app security from the outside in. In most cases, this involves defining a virtual perimeter around apps or valuable assets. Promon recommends protecting your apps from the inside out. Server-side infrastructure does not provide enough protection, and reliance on the security architecture of mobile operating systems could leave your app vulnerable. Application shielding comprehensively protects your apps, identifying threats that other security solutions may overlook.