On any given day, I’ll read at least one article about an enterprise release of a new app. I’ll also see many more that I just don’t have time to read. I have noticed that certain themes recur across the articles–more on that in a moment. But I have also noticed one glaring absence. What I am not seeing is attention to mobile app security.
From one perspective, this is surprising – even shocking. Businesses are under tremendous pressure to get products to market speedily in our global economy, and one of the areas of greatest demand is mobile apps. There are some 4 billion mobile devices accounting for 200 billion app downloads in 2019 alone generating an anticipated $582 billion of revenue in 2020. Mobile apps are a consistently high priority.
But that high profile does not include the emphasis on security that you might expect. Where the desktop was always in plain sight and laptops were a fixture in briefcases, your smartphone spends a healthy percentage of its time in your pocket. As a result, IT and security teams have been late in turning their attention to securing mobile devices.
The reality is we use our mobile devices every day to get our jobs done. We can no more work today without mobile devices than we could have without desktop computers a decade ago. That dependence on mobile for worker productivity is one of the key reasons security is foundational for mobile app development.
Organizations are investing heavily in mobile initiatives within both the public and private sectors. For the public sector, the focus has been on citizen services, better infrastructure and digital transformation. In the private sector, focus has been on employee productivity, customer engagement and a frictionless sale.
There is essentially an app for everything, because customers expect an app for everything. We use apps to access sensitive enterprise data. We use it for financial transactions to buy digital and physical merchandise. We use it to share proprietary intellectual property. There is virtually no area of the enterprise where mobile doesn’t have a foothold. That broad technology footprint is the second reason security is foundational to mobile app development.
One side effect of the consumer appetite for mobile apps is that, to meet the demand for mobile, businesses often use third-party agencies or third-party components when they build mobile apps. In fact, one scholarly study found more than 60% of the libraries in a typical app are third-party components. The rationale for the use of third-party components is it makes mobile development efficient and allows businesses to focus on their core competencies.
That pattern is likely to continue in mobile development. But it is a real concern, because using third-party components means enterprises don’t have a way to ensure they are building secure apps. And to make matters worse, apps sit on a mobile device that lives in a zero-trust world. The combination of inadequate quality control processes during development and a hostile final destination following deployment combine to form the third reason security is foundational for mobile app development.
As noted above, many companies turn to third party resources for app development. It is not wholly unreasonable to expect a third party to bake adequate security into the apps they create for you – but it is far from a given.
At the same time, companies building mobile app development capabilities internally are only now starting to realize their existing security solutions will not get the job done. This is in part because existing app security solutions are primarily focused on web apps, where all the resources that enable app functionality are on web servers, and generally well-protected.
Mobile apps, by contrast, use the system resources of the (unsecure) device on which they are loaded. Solutions that detect issues in web apps can’t help you with mobile apps. For most businesses, their entire security strategy will not work as they try to develop secure mobile apps.
Why isn’t anyone telling you this? Very few understand the intricacies of security when it comes to mobile app development. The technology is markedly different from traditional development and is still relatively new. So even though businesses are already playing the game, they don’t know all the rules, and are likely to get caught with their security pants down.
As bleak as things look on the security side, mobile app development is equally fraught when it comes to privacy. And not just because consumers want business to be more socially responsible when it comes to sensitive information. Enterprises are also navigating an increasingly complex set of regulations as they deal with the increasingly extensive expectations of social responsibility.
The headline capturing regulations today, such as GDPR, NIAP, CCPA PCI and HIPAA, are just the beginning. Many countries are embracing their own versions of these regulations starting in 2020.
In short, privacy and security are deeply entwined with business strategies. Whether you are an enterprise, SMB or government entity, your cybersecurity strategy needs to account for mobile devices and mobile apps. And this is all the more important because your apps will eventually run in a zero-trust world where neither the device, the owner or the network can be trusted.
Mobile is the de facto productivity platform for businesses. Securing your mobile apps is every bit as important as securing the servers in your data center–whether you think about it or not.
Zimperium helps businesses develop apps that are as secure as they can be by offering solutions that span the complete app development lifecycle. If you’d like to know more, please contact us.