Researchers found a vulnerability about two years ago in the Android versions of WhatsApp and Telegram that could let hackers manipulate media files sent via the apps. Today’s columnist, Brian C. Reed of NowSecure, offers some insights on how continuous mobile app security can protect companies from similar vulnerabilities. microsiervos CreativeCommons Credit: CC BY 2.0

Spurred on by a pandemic that forced workers home, we have grown increasingly reliant on a cadre of mobile applications proliferating at a head-spinning rate. Unfortunately, investment in mobile app security has failed to keep pace or gain coveted priority on the long list of information security concerns.

Too many business leaders simply don’t see mobile apps as a top-tier security threat. In the rush to develop mobile apps and get them to market, security and privacy are more often an afterthought than a must-have baked into the development process.

But that has to change – and quickly. Comscore says 69 percent of all digital traffic and time spent by users are on mobile versus web apps, while Gartner reports that through 2022, mobile app security failure will emerge as the biggest mobile threat for enterprises. At stake are valuable company assets, customer data, supply chain exposure, regulatory fines and failures in the kind of digital transformation and innovation that keeps companies ahead of the competition. Breaches of mobile apps and leaks of private data from Babylon Health, LinkedIn, Tim Hortons, Telegram, Twitter and Walgreens demonstrate the damage caused when security gaps go unheeded.

Mobile appsec weaknesses were already a concern long before the pandemic exposed those shortcomings, but were exacerbated as businesses sought to support an almost entirely mobile workforce and customer base while virtually everyone embraced mobile apps for everyday existence. Today, Google Play and the Apple App Store offer some 5.5 million apps that people depend on for everything from tracking sales accounts and conducting mobile banking to video conferencing with co-workers and friends and scheduling vaccine appointments. But benchmark data of millions of mobile apps from these public appstores reveals an astounding 85 percent of mobile apps with security risks.

Many apps also leak sensitive information ready for scooping up by malicious actors lying in wait to exploit low-hanging fruit. In fact, NowSecure benchmarks also show that 70 percent of mobile apps from public appstores leak personal data in violation of strict and costly privacy regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA).

But with a little commitment and investment, organizations can reduce risk by taking the following steps to lock down mobile AppSec:

  • Bring mobile DevOps and SecOps together.

Traditionally, siloed application development and security teams worked on parallel tracks and sometimes at odds. But organizations are finally starting to understand the importance of adopting a security-by-design mindset and baking security earlier into the software development lifecycle. Shifting left and aligning mobile SecOps and DevOps teams can help them become fluent in a common language and conquer security and functionality hurdles.

  • Train mobile app developers.

Most mobile developers come from the web development world with a more contained architecture where 98 percent of the code resides behind the firewall and there are established guardrails that keep them on the straight and narrow. Lacking depth in both mobile appsec knowledge and mobile appsec testing virtually ensures security missteps, further complicated by pressure to quickly unleash waves of innovation with as little friction as possible for users. Investing in training raises awareness about common and not-so-common security issues and fosters secure coding habits.

  • Prioritize automation and pipeline integration.

Automating testing can deliver real-time data on mobile appsec and relieve the pressure on already stressed security teams to ferret out critical security and privacy gaps. Investing in pipeline integration for continuous security testing will help organizations integrate and validate the security status across various mobile development and CI/CD platforms throughout the entire development lifecycle, ensuring that security and ops issues don’t fall between the cracks.

  • Test continuously.

Don’t think of mobile appsec as one and done, especially in a dynamic environment where user needs and features – and threats – are constantly in flux. Security and development teams both need the latest relevant data on how apps perform and where the risks lie to catch security issues before they become problematic. That means continuous security testing.

Organizations will find these steps well worth the time and investment. Not only can they better their chances of avoiding reputational and financial risk, but companies that deploy automated, continuous mobile application security testing tools typically enjoy a 30 percent reduction in breach potential and gain peace of mind that the mobile apps they build are always protected. And done right, mobile application security investments can spur innovation and drive digital transformation that can flip security into competitive advantage.

Brian C. Reed, chief mobility officer, NowSecure