Today, we'd like to explain mobile app security in simple terms for everyone to understand easily. Over the course of the last four years, we've written hundreds of articles around mobile security many of which are complex and technical. The objective of today's article is to present a simple understanding of mobile app security. In a nutshell, we'll see what is mobile app security, why is it important, how is it applied in practice, and what is the potential that it has.
What is Mobile App Security?
The cybersecurity industry has involved as technology kept progressing through the ages and newer devices and technologies came into existence. As the age of the PC came, we spent years learning and implementing computer security. The Internet and intranet led to more developments in network security. With mobile becoming the everyday norm for finance, healthcare, travel, shopping, etc. mobile security has become the need of the hour. Going ahead, IoT security will see significant development as IoT devices gain adoption. And the process will go on.
So, mobile app security is essential the numerous security practices and tools used to ensure greater security for mobile applications. Unlike applications used on PCs or Mac or other devices, mobile app security's focus is on ensuring mobile applications are secure and safe.
Why is Mobile App Security Important?
Over the last 20 years, we've seen immense growth in the number of computing and networking services that have enabled transactions to happen in seconds anywhere across the globe. It is obvious that the growth in 3G and 4G mobile networks coupled with affordability in data plans and smartphones has resulted in a huge boom in the mobile devices market. The rapid increase in mobile device adoption has led to a significantly swift growth in a new channel for business through mobile applications.
Today, almost every major business has a mobile app or is planning to launch one soon. There are many businesses especially in e-commerce and healthcare that operate primarily on mobile apps. The amount of personal information and data that we, as consumers, provide to these apps is what makes it even more important to have mobile app security.
Security breaches have been on the rise every year. For reference, in Q1 of 2018 alone, the Identity Theft Resource Center (ITRC) reported that there were around 250 total data breaches that compromised more than 5.4 million records (5,444,808 to be precise).
Newegg, one of the large computer hardware and electronics retailers in the US, was hacked last year to steal personal and financial data of customers and that went undetected for over a month. FedEx left sensitive customer data exposed on unsecured Amazon Web Services (AWS) cloud storage server. These are just the tip of the iceberg. There are numerous cybersecurity hacks in 2018 that we wrote about.
Simple Example of a Mobile App Security Flaw
(and How We Got Some Free Food)
Our whitehat security hackers found a checksum issue in a popular food ordering app. What this means is that you could order something of much higher value by paying way lesser. How does that happen? Note that this is a pretty severe issue for the business as it can result in a direct revenue loss.
Typically security problems are weaknesses in an application that result from a broken or missing security control – authentication, access control, input validation, etc. In contrast, business logic related vulnerabilities are ways of using the legitimate processing flow of the application in such a way that it results in a negative consequence to the business.
What we were able to do with this app is change the total amount due in the final payment screen and update it to a random amount (much lesser than what it should have been). Because of the security flaw, the order goes through resulting in direct revenue loss.
Read this to know more in detail: https://blog.appknox.com/improper-checksum-security-issue-got-us-free-food/
This exact scenario can happen in the case of any other app as well - e-commerce, healthcare, loyalty apps, etc. The above example shows the case where a business faces direct revenue loss. The same is true in a variety of apps where hackers steal information from consumers including names, addresses, credit card information, SSN, etc. All these important and private data is highly valued and sold in bulk in what is known as the "dark web."
With news of mobile application hacks from all over the globe being the talk of the town, companies are now changing the way they look at cybersecurity and in particular mobile app security.
Gartner earlier in 2015 stated that 75% mobile applications will fail basic security testing. It was no surprise that Gartner was more than right and it was evident with the results that were showing, even with an internal study that Appknox conducted with 500 E-commerce companies globally.
In similar regards, Gartner released another statement saying that, by the year 2020, up to 90% of enterprises will test their mobile application for security vulnerabilities. It’s no surprise that businesses are bumping up mobile app security to the top of their strategy because of the new channels of exploitation mobile brings to the cybersecurity world.