While the explosion of mobile applications has put Android in the driver's seat, mobile application security continues to be a far cry. Just how bad can things be? Well, pretty bad, to be honest. For instance, in 2014 Gartner predicted that throughout 2015, more than 75% mobile applications will continue to fail even the most basic security tests. The prophecy came true in 2016 when Appknox conducted an extensive study of testing the top 500 e-commerce apps. The finding: a whopping 95% failed to cut the mustard.
Now, security loopholes are fair game in the digital landscape. Even the best and most sturdy encryption algorithms are revealed to have critical vulnerabilities from time to time. What's disheartening in the mobile app landscape is the sheer neglect that application security suffers from. Users and enterprises alike tend to have a common thought pattern – if it is on a mobile, somehow we don't need to think about security. Contrast this with the security of web and desktop applications, which gets taken very seriously.
The giants get it right, and wrong
One of the largest contrast in mobile application security comes from two of the biggest names – Apple and Google. While Apple is known for its fanatical focus on mobile application security, Google is only now beginning to wake up after several serious breaches and data loss by users. So what created this difference? Simply put, it's focus. Says the opening of the iOS Security Guide 2016, "Apple designed the iOS platform with security at its core. When we set out to create the best possible mobile platform, we drew from decades of experience to build an entirely new architecture. We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS."
Sure an odd breach happens at the iOS app store now and then, but the overall record is much better.
There is an important lesson here for enterprises and users alike – security can't be an afterthought. It's a pain that's much better taken on sooner than later.
How to win the mobile application security war
Mobile devices are multi-faceted and not tied to a location. This makes implementing correct security very hard. This may sound anticlimactic, but the most important thing businesses need to do is pull up their socks and get ready for a slow, ongoing war. Some guidelines related to mobile application security best practices will help:
1) Run by a basic checklist every time: It's easy to forget a critical point or two in the rush to shorten the time to market. Businesses can improve the situation by making sure they gave a ready checklist of the most important security measures for mobile apps. If you're not confident of building your own list, you can start with something like the OWASP checklist. But remember: it's much easier to publish an in-house checklist than making sure it gets followed rigorously.
2) Manage BYOD: With Bring Your Own Device (BYOD), a whole world of security challenges opens up. Suddenly devices you're not sure of are connected to vital parts of your enterprise system, and critical data leaves your premises every evening and enters unknown networks. Managing BYOD risks comes down to laying down clear policy guidelines around personal devices at work, and making sure the employees have signed on them. In other words, data privacy responsibility largely gets pushed down to the employees, who also have to agree to remove apps or install security measures that are deemed fit by the enterprise.
3) Automated app testing: An automated testing solution for mobile apps takes a lot of pain out of the equation. Imagine just having to push a button and getting a list of omissions and recommendations. Appknox is a good example for mobile app security.
4) Go holistic: When it comes to pursuing your own security plan, make sure you are holistic in your approach. This means going beyond mere checklists and incorporating static testing, dynamic testing, as well as user behavior testing in your security practices. As history has shown time and again, user behavior reveals flaws that even the top security engineers fail to anticipate.
5) Consider outsourcing security: No, it's not a stupid idea. The point is that mobile application security is so vast and elusive that you can't hope to do it all on your own. Even if you insist on doing do, at least make sure to engage a reputed brand or consultant for regular security audits. Remember: it's much better that these audits reveal gaping security holes than not. At least you can then plug them and know that you've secured that end.
6) Tighten the noose around login and communication: Since mobile communication is very easy to intercept, make sure all communication happens over secure channels implementing state-of-the-art security. Same goes for authentication – the traditional authentication used in mobile devices is a strict no-no. Make sure you add multiple authentication methods and rely on biometric authentication as much as possible.
Are we trying to paint a grim picture? Yes! Because it's already much worse than it looks. As the cyberspace hurtles towards IoT and more complex device interconnections, we are nowhere on the radar for even basic mobile application security. Unless we develop paranoia and take this up on a war footing, we will surely be caught unaware, with no answer in sight!