Mobile apps are a relatively new phenomenon, and yet in a short span, this ecosystem has gone through several overhauls already. The advances in app functionality and user experience are there to see for everyone, but equally important are the radical shifts in the security landscape. So let's take a walk down the memory lane and see what and how much has changed over the years. If anything, such a comparison will make us appreciate the intricacies involved in mobile application security today. It might even make us more determined and vigilant!
The rise of independent researchers
Earlier there were only two sources of discovering security holes: the app development end, and the app users. Of course, the users consisted of regular users and attackers both but finding a potential bug used to be largely a matter of chance. But these days, as the adoption of mobile devices has exploded, independent or University-backed researchers have risen. They perform academically advanced and sophisticated attacks on the mobile platforms, demonstrating their weakness. Consider the Drammer attack, which was the result of several researchers collaborating, and revealed a fundamental flaw in Android hardware. While on one hand, this means our mobile apps will be more secure in future, in the short term it generates food for the attackers and headaches for the likes of Google.
Google funds studies aimed at Android bugs
In the earlier days, bugs on mobile apps were considered normal. After all, the world was used to an era of massive enterprise platforms where it wasn't uncommon to find critical bugs even after a few years into production. So, the standard response by Google in the early days was to issue a security patch, and that was that. But the extent of damage revealed how sinister these vulnerabilities were if left unattended. As a result, Google has woken up to the scale of the problem, and begun to fund studies aimed at revealing fatal flaws in the Android hardware and software. It's a fabulous and brave move, and it makes for an interesting trend of modern mobile application security!
Finding and fixing critical bugs is so important that companies are not leaving anything to chance. Or rather, they're using the power of chance as well. Bug bounties are a unique trend of modern mobile application security scene, where anyone who discovers a critical bug gets rewarded in hard cash. Google already has the Android "security rewards" program in place, but the money being awarded is more important. As per Google's blog, USD 550,000 was awarded in 2015, and in 2016 the company increased the spend by 33%!
Certainly, for those who are very talented, determined, and lucky, becoming a bounty hunter of bugs is not a bad career choice!
Anti-virus software on mobile phones
When Android was launched, some users breathed a sigh of relief: "Oh, finally! A mobile platform built on the Linux core. What could be more secure?!" Except that, it didn't turn out to be anything closer. While the Linux kernel does its job well, a mobile phone is a highly personal device that needs a lot of permissions and works many times on your behalf. In other words, it's much more open to attacking and takeover. As a result, users who thought they were free of the Windows-era tyranny of having to install an anti-virus now have to tolerate one on their Android phone!
Rise of automated mobile application security testing
As one vulnerability after another piled up and the security checklist numbering started to run into three digits or more, the ecosystem responded with automated security testing. This includes static analyzers for code-level security, dynamic analyzers to gauge app behavior, and much more. While this doesn't make your app bullet-proof, it takes care of most of the important cases that you're likely to miss.
These sure are interesting times to be living as someone concerned about mobile application security. We'd like to motivate you to not see this extreme volatility as a hassle, but a zig-zag path to the promised land of hacker-proof apps!
Hack proof apps are difficult to come across. Target, Walmart, and eBay have all been hacked. How does your app fare?