We Know Why 85% of Mobile Apps Suck in Security. Do You?
If you are using a mobile app, you are screwed!
Let’s consider the following facts. 68% of enterprises  have reported mobile breaches which cost them $50 billion every year.
In other findings from Arxan ,
- 5% of popular apps that contain professional anti-hacking tools.
- More than 90% of top paid mobile apps have been hacked including 92% and 100% of Top 100 paid apps for Apple iOS and Android
- 40% and 80% of popular free Apple iOS and Android apps were found to have been hacked.
The above statistics means that 9 out of 10 apps on your smartphones and tablets can be hacked, and almost every popular app has already been hacked.
Don’t you think it is a bit absurd when you ask yourself this question: “Do I live in a house without a lock on its front door?”  Mobile app security is like the lock for your mobile app. You don't leave security decision about your house to your builders, so why are you doing that with your mobile apps?
Something is fundamentally wrong.
We’ve seen things you wouldn't believe.
In just the past 12 months, we’ve come across 100 mobile app projects at different phases: initial analysis, development, testing, deployment and after go-live. We’ve had conversations with more than 300 professionals active in the enterprise mobility space. From the enterprise side, we’ve talked to C-level executives, security officers, mobile directors/managers. We’ve also met founders, app developers, project and account managers from third-party development agencies.
We observed, asked questions, and uncovered the underlying problem that caused the current miserable state of mobile application security. Despite the fact that mobile breaches have cost enterprises a fortune, mobile, or to be precise mobile application, security still sucks.
The answer doesn’t lie in technology but in us.
Who shows up at your mobile app project?
A typical mobile app project consists of 3 different kinds of people: 1) mobile app owner; 2) software developers, UX designers, IT architects; and 3) security officers.
A mobile app owner is a non-technical person in charge of the direction of the project and the delivery of the app. S/He’s responsible for the business case, the budget, stakeholder management and not the low-level technical details.
Software developers, UX designers, IT architects are usually employed by the third-party mobile app development agency. Mobile app development agencies either have no security experts or have just lost their only one. Security experts are quite expensive.
App development agencies spend their resources and time on perfecting the look and feel of the mobile app; after all, that’s what they’re paid for.
And do you know why? Our digital generation is asking for, no, demanding it.
User experience determines the acceptance, thus the success of a mobile app.
The last group of people are security officers who are responsible for the overall information security within the enterprise. They are busy because there are few of them compared to other roles in the company. If they are not busy, something is wrong. Security officers are not invited to every business or technical meetings for reasons we’ll get into later.
In every Hollywood blockbuster, there is a hero who does superheroic things to save the day. The person who spearheads a mobile project, delivers a cool app or guides his enterprise through a digital transformation is seen as the hero. On the contrary, security officers are villains who cause trouble and make life difficult for the hero.
There are holes in your assumption
The mobile business owner thinks that the responsibility for application security rests with the developers and implicitly assumes that it will be completed during the course of the project.
Application developers, confident with their knowledge and skills, believe that they have "security solved," which often translates to a "good enough" approach based on their judgment. 
It is important to understand that application developers are not security experts. Their primary skill set is frontend coding and maximizing the User Experience (UX). They are trained to ensure the application contains required features and business functionalities. They are focused on the User Interface (UI) to make their application easy to interact with and beautiful to look at, and not so much concerned with security side meaning their judgments about what is appropriate in terms of security is far off course.
The average talk time at developers' conferences about security topics is only 3%. The status quo of this digital generation is that a mobile app has to be beautiful. Secure? Not so much.
This belief puts enterprises and their app users at risk.
Security officers have a completely different view on this topic, but unfortunately, they have very little power over the project, and often arrive at the scene too late.
They are firefighters, but from the project perspective, they are the saboteurs who derail the project with their “hypothetical” questions and construct barriers to prevent a mobile app from being released to production.
Application security obviously takes a backseat; if it even makes it to the backseat to join the ride.
This is a recipe for catastrophe
When the mobile app is finally completed and launched, the time bomb starts ticking.
Counting down to the day it will get hacked.
We live in a time of not IF but WHEN you will be hacked.
The invoices are paid and the developers are gone. The responsibility to operate the app now solely lies on the shoulders of the mobile app owner.
When a cyber breach happens, attackers encounter only “good enough” security implementation – assuming that average security survived throughout the project phase – from the people who don’t understand application security and didn’t get paid to do it.
The barrier is only green grass
There is no barrier for hackers who spend years or even their whole life living in the virtual world, looking for loopholes and weak points to exploit. We’re talking about an uneven chess game between a grand master and a weekend hobbyist. And the hobbyist is not PRESENT at the chessboard when the final check-mate is declared.
An industry average response time to a cyber breach can take up to more than 250 days. 
That goes to show how well we play chess. We only realize that we lost the game more than half a year later.
In 2015, we lost more than $50 billion  globally playing this game and this number will only increase.
A billion dollar question
There is a big opportunity and a huge prize for those who crack this problem and challenge responsible people to do the right thing and lead us on this digital journey not only through the grand user experience but also with a sense of safety and security in mind.
It won’t be easy, but it’s a step we have to take.
The digital world can be safe. We’ve built a safe physical world, so we can build a safe digital world too.
If you’d like to get a true assessment of the security of your mobile application and its backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your mobile solutions.
Most Recent Articles
- Creative Dock, TeskaLabs, Indermedica, Czech Ministry of Industry and Trade and Line 1212 launch the indicative test for new COVID-19 coronavirus
- Cyber-health with a password and an antivirus program is not enough
- TeskaLabs at the ETSI 1st C-V2X Plugtest
- TeskaLabs has become a leader of Mobile Healthcare applications in the Health (in) Future Platform
- TeskaLabs at the ETSI 7th CMS Plugtest validating C-ITS security
You Might Be Interested in Reading These Articles
Containerization is an alternative for full machine virtualization. You probably know well-known containerization technology from Docker or Rocket. However, this article addresses the pros and cons of mobile “containerization” or wrapper used to isolate the mobile app from the mobile operating system or other applications installed on the same device. These type of “containerization” work in a different way.
Published on September 27, 2016
The Real Impacts of General Data Protection Regulation (GDPR) to EU Companies That Operate Mobile Applications
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at protecting the personal data of EU citizens. Because of the broad definition of “personal data”, GDRP impacts almost every EU company, as well as non-EU companies that exchange data with them. The regulation takes effect in May 2018, which is still a long way in the future, but the complex requirements mean that companies need to start planning and taking action now.
Published on December 06, 2016
The enterprise world is changing. In the past, enterprises built their IT infrastructure as isolated data fortresses and did everything they could to prevent outsiders from accessing their data. But now they need to open that fortress to allow communication via mobile technologies. And this hole is where hackers strike.
Published on July 07, 2015