DevSecOps

COVID-19, the New Normal and the Indisputable Importance of Mobile App Security

As the United States emerges from COVID-19 lockdown, it’s not back to business as usual. COVID-19 remains a very serious risk, and until a vaccine or treatment arrives, we will all need to remain vigilant. Further, it’s also certain that the new normal post-COVID-19 world represents a fundamental transformation in how businesses operate, with mobile business models taking center stage.

For most businesses, their storefront was their most important asset for awareness and revenue generation prior to the pandemic. Having a good physical location was critical to bringing in foot traffic and allowing customers to easily discover them. In the new normal, however, digital location has become far more important as consumers are increasingly turning to their mobile devices. So, it’s critical for businesses to make apps that are easy to find and use in order to continue generating revenue going forward.

The combination of the pandemic and growing mobile usage has made developing and updating apps not just a nice-to-have marketing tool, but a necessary task for business survival. An enormous number of previously casual mobile users are now depending on mobile apps for their banking, shopping and other day-to-day transactions. As such, businesses need to redesign their apps to ensure they’re easy and intuitive to use so they don’t lose those potential customers. This requires developers to iterate even faster to deliver an engaging, glitch-free experience.

Unfortunately, in the mad rush to ship apps as fast as possible, security often gets short shrift in favor of features and functionality. According to the Verizon Mobile Security Index 2020, even before the pandemic hit, 43% of app developers said they knew they were cutting corners on security to “get the job done.” 

Features Trump Security … Until They Don’t

Now with business models hinging on mobile, developers can no longer rest on “features first, security later” mentalities. The struggle here is that implementing mobile app security is hard to do. It takes time, often extending the development cycle, and it’s expensive. Even if development teams are committed to implementing security, they may lack the skills to do so — good iOS and Android security engineers are scarce and in high demand.

Eventually, however, poor security will bring consequences. Cybercriminals operate much like nimble startups, searching for opportunities, creating minimal viable malware and then continually improving it to become more effective. Case in point: the EventBot malware for Android that was discovered in April. It masquerades as a legitimate app, such as a banking app or other popular consumer that, once installed, harvest unprotected data from other apps on a device. EventBot also can intercept text messages (SMS) sent to the device, which enables it to capture the identity verification codes used by multi-factor authentication solutions. With access to these codes and the unprotected user credentials found in the app, hackers can easily launch account takeover attacks on tens of thousands of unsuspecting mobile app users.

What’s more, the new normal post-COVID-19 world is causing a huge increase in app usage, cybercriminals and hackers believe that the time is ripe to start exploiting known mobile app security flaws. For example, it’s not a secret that most mobile apps lack basic encryption. Similarly, most apps can be tampered with, repackaged and distributed on non-official app stores. With malware like EventBot that can be embedded in popular apps that users already trust, the game for mobile app exploits has been upped dramatically.

EventBot is just one example of why it’s critical for app developers to encrypt all app data (including the strings, resources and in-app preferences that are stored on the device), obfuscate code and shield apps from tampering and reverse engineering efforts. Doing so will stop EventBot and other potential attacks, and prevent cybercriminals from using apps as Trojans for additional attacks.

Solutions to the Security Development Challenge

If a development team decides the best route is to implement security themselves, they should first make sure they have the appropriate skills in house. If so, a good start is to address each of the OWASP Mobile Top Ten vulnerabilities. 

Other development teams turn to security software development kits (SDKs), which they will integrate into their apps to provide security. This reduces the scope of the coding but still requires developers to have extensive security experience, and it’s critical to vet SDKs before integrating them, because rogue and vulnerable SDKs are a serious problem in the mobile app industry.

A final option is security automation through artificial intelligence. It’s fast, taking just minutes to completely secure an app without any coding, and compared to manual coding, it’s inexpensive. But, as you should do anytime you’re outsourcing security, do your due diligence to make sure the platform truly secures the app without introducing additional vulnerabilities.

The new normal has elevated the importance of mobile apps as the primary way customers interact with businesses, and cybercriminals are taking note. So, in the race to provide an engaging, intuitive experience for customers, don’t neglect their safety. Focusing on features and functionality at the expense of security might pay off in the short-term, but the long-term consequences could be grave. Identify the security development model that will work best for your team, but make sure you implement security quickly. Cybercriminals will not wait for you to prepare before launching new, even more devastating attacks.

Tom Tovar

Tom Tovar is CEO and co-creator of Appdome, the mobile industry’s first no-code mobile solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud, and as CEO of Nominum, a DNS security and services provider that was acquired by Akamai. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.

Recent Posts

Building an Open Source Observability Platform

By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…

8 hours ago

To Devin or Not to Devin?

Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…

9 hours ago

Survey Surfaces Substantial Platform Engineering Gains

While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.

1 day ago

EP 43: DevOps Building Blocks Part 6 – Day 2 DevOps, Operations and SRE

Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…

1 day ago

Survey Surfaces Lack of Significant Observability Progress

A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…

1 day ago

EP 42: DevOps Building Blocks Part 5: Flow, Bottlenecks and Continuous Improvement

In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…

1 day ago