Mobile device use has continued to grow throughout the global pandemic, surpassing 5.19 billion mobile phone users worldwide over the past year. As a result, companies have been launching mobile apps at an incredible pace to capitalize on the abundance of potential users.
The rapid pace of mobile app development, however, has led to a sudden uptick in privacy and security issues as well. As a result, many mobile developers are starting to recognize the need for a more proactive and streamlined approach to app security by adopting a DevSecOps mindset.
Mobile Security In The Spotlight
Mobile apps have become an enticing target for criminal exploitation because many developers don’t have the time to prioritize security measures like obfuscating their code, encrypting sensitive information or monitoring for live attacks after publishing an app. In fact, the FBI has reported a 50% surge in mobile banking usage, which has led to an increase in banking trojans and other attempts at financial fraud. Moreover, studies have shown that nearly every sector and companies across industries are facing cyberthreats, with 55% saying that being compromised had a lasting impact.
With regard to government responses to COVID-19, the release of contact tracing apps intended to help contain the coronavirus were recently in the spotlight for their lack of adequate security measures. These crowdsourced solutions gave governments more widespread reach for warning individuals that may have been exposed to the virus, but many mobile app developers had to launch them quickly, and security was not made a priority. Some contact tracing apps, like many other mobile apps on the market, failed to protect user privacy because they relied on the phone’s GPS, harvested personal information or sent data to a centralized database.
In an effort to make these contact tracing apps more secure, build trust and gain more user adoption, Apple and Google jointly released an Exposure Notification API. One year into the pandemic, mobile developers can use this API to build more secure contact tracing apps without compromising personal information. While the majority of contact tracing apps have adopted the API, this issue has revealed broader concerns about mobile application security and the need for DevSecOps in the industry.
DevSecOps For Mobile Developers
DevSecOps is an approach to application security that integrates security processes throughout the entire development pipeline. For mobile apps, this means scanning for issues during development, testing, deployment and following up on threats after release. By creating a secure software development life cycle (SSDLC), organizations can leverage automation to improve application security without burdening developers.
A key aspect of DevSecOps is catching issues earlier in the SSDLC, which is often called “shift left.” This is a proactive approach to application security where app developers use code hardening tools to protect their apps and code scanning tools to detect and remediate issues during development. By preventing vulnerabilities from reaching later stages of the SSDLC, the cost and effort involved with remediating security issues is much lower. While mobile app developers have prioritized being first to market in the past, many companies are now recognizing that a shift left of security efforts aligns with this goal.
Besides the development phase of the pipeline, it’s crucial for mobile app developers to implement security processes in the testing phase, as well. Both static and dynamic automated testing tools can detect vulnerabilities in the source code and execution of mobile apps to prevent issues from reaching production. With a DevSecOps approach, mobile developers can integrate these tools directly into the continuous integration and continuous delivery (CI/CD) pipeline to minimize the manual effort involved with improving their security posture.
While many mobile app developers have had to learn the hard way by experiencing a security breach, the pandemic has motivated others to take security more seriously. As people spend more time at home and shift to digital means for everyday tasks like shopping and banking, they’re using mobile apps far more frequently. Prioritizing security as well as speed by adopting DevSecOps methodologies allows mobile app developers to better protect their users and intellectual property as well as build greater trust in their apps without sacrificing time-to-market.
Enterprises may have more mature security programs in place, but mobile app developers are quickly catching up. The pandemic has put mobile security issues in the spotlight and motivated app developers to adopt DevSecOps. As mobile apps continue to become more critical for businesses, the maturity of security programs within the mobile app industry will likely improve even further.