Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices.
In a recent report, Gartner mentioned that over 75% of the mobile applications will fail basic security tests. In fact, when we performed a research on over 100,000 apps, we found this number to be much higher, over 90%! That's alarming in different ways. First, it is alarming because there's a high probability that your business app will also fail in security. Secondly, this is also alarming because so many such apps sit on the mobile devices of your employees who bring it in every day. Imagine the amount of sensitive data that is at stake here.
A study by IBM highlights the sorry state of affairs today - 33% of organizations never test the mobile applications they develop and 40% of enterprises – including Fortune 500 companies – do not protect the customers for whom they are developing apps.
Why is Mobile Application Security a Big Deal?
To understand why this is a big deal, we need to take a more holistic view. Let's scale this up. There are many reports out there that have proven that more than 90% of mobile applications are vulnerable and there's a median of around 6.5 vulnerabilities per app. At the same time, over 4,000 apps are being added to the popular apps stores every single day. On average, a smartphone user downloads 36 apps. Put this all together and it will present a scary picture for any business.
So, Why are Businesses Not Taking Mobile App Security Seriously?
There are several factors to blame for the lack of importance given to mobile application security. But if I have to be straightforward about this, then the fact is organizations put a lot of focus on things like features, performance, etc. rather than on security issues.
Often developers count on the platform they are building on or focus on things like speed and usability. In some cases, companies do not have a consistent and clearly defined security and QA testing as part of the SDLC. And in some other cases, developers are simply not aware of the mobile application security best practices.
5 Essential Mobile Application Security Best Practices
Implement security measures at the application level
Device manufacturers and operating systems will keep implementing some or the other security measures from time to time. Relying on them to make you secure is a terribly wrong expectation. Many businesses and developers believe that being on the iOS platform make them secure. Although I agree iOS is fairly better in terms of security compared to Android, but that is changing. Hence, as a business, you should make sure you take care of mobile security at the application level which will reduce your dependency on platforms and devices to keep you safe and secure.
Ensure your employees download trusted apps from enterprise app stores
Although this method is not 100% foolproof, yet it is one of the biggest mistakes companies make. Enterprises should make it a rule of thumb to not trust third-party applications at all unless pre-approved through a security testing process. While you employ BYOD principles at work, it is important to educate your employees on the security risks involved in downloading and using apps that come from third-party sources. For all internal apps, create a safe and secure enterprise app store allowing employees to have access to these apps.
Encrypt and monitor the data between the mobile app and web server
It is important to sometimes manually analyze the traffic flowing through the app to the web servers. You can either have an internal team to do that or hire a mobile app security company that can help you track movements in the network layer. Most experts will recommend all mobile device communications to be encrypted. The reason is simply because wireless communications are quite easy to intercept and snoop on. Often known as the transport layer, the path between the mobile app and web servers carries very sensitive information and it is necessary to employ the best security practices to make sure this is something you can monitor well.
Use containerization for critical corporate data
A good way to try and protect sensitive corporate information is a concept called containerization. The name itself is self-explanatory and mean that you can use techniques to store sensitive corporate data into a separate container in the mobile app. This is a good way to employ a system that identifies your corporate data as more sensitive as compared to say your selfies from the last vacation.
Perform regular mobile security audits and penetration testing
It is recommended that companies and organizations should hire a trustworthy and reputed mobile app security testing company to audit their applications at least once every quarter. Putting your mobile apps through a set of automated and manual penetration tests that follows the mobile application security best practices can be very helpful in deciding what aspects of security you need to focus on. After identifying issues, it is even more essential to spend time with remediation and mitigation of any issues that were discovered. Even if you have an internal security team, it is always a good practice to get an external audit done as well.
To help businesses understand the importance of mobile application security best practices and to showcase real-world examples of how your mobile application can be breached, we are running a special initiative called Secure Our Soul. This is a free 20-minute exclusive session with our security researchers who will demonstrate how the security loopholes in your application can be exploited.
We have only four slots every Friday, so go ahead and book yours now.