We Know Why 85% of Mobile Apps Suck in Security. Do You?

If you are using a mobile app, you are screwed!

Let’s consider the following facts. 68% of enterprises ^[1] have reported mobile breaches which cost them $50 billion every year.

In other findings from Arxan ^[2],

• 5% of popular apps that contain professional anti-hacking tools.
• More than 90% of top paid mobile apps have been hacked including 92% and 100% of Top 100 paid apps for Apple iOS and Android
• 40% and 80% of popular free Apple iOS and Android apps were found to have been hacked.

The above statistics means that 9 out of 10 apps on your smartphones and tablets can be hacked, and almost every popular app has already been hacked.

Don’t you think it is a bit absurd when you ask yourself this question: “Do I live in a house without a lock on its front door?” ^[3] Mobile app security is like the lock for your mobile app. You don't leave security decision about your house to your builders, so why are you doing that with your mobile apps?

Something is fundamentally wrong.

We’ve seen things you wouldn't believe.

In just the past 12 months, we’ve come across 100 mobile app projects at different phases: initial analysis, development, testing, deployment and after go-live. We’ve had conversations with more than 300 professionals active in the enterprise mobility space. From the enterprise side, we’ve talked to C-level executives, security officers, mobile directors/managers. We’ve also met founders, app developers, project and account managers from third-party development agencies.

We observed, asked questions, and uncovered the underlying problem that caused the current miserable state of mobile application security. Despite the fact that mobile breaches have cost enterprises a fortune, mobile, or to be precise mobile application, security still sucks.

The answer doesn’t lie in technology but in us.

Who shows up at your mobile app project?

A typical mobile app project consists of 3 different kinds of people: 1) mobile app owner; 2) software developers, UX designers, IT architects; and 3) security officers.

A mobile app owner is a non-technical person in charge of the direction of the project and the delivery of the app. S/He’s responsible for the business case, the budget, stakeholder management and not the low-level technical details.

Software developers, UX designers, IT architects are usually employed by the third-party mobile app development agency. Mobile app development agencies either have no security experts or have just lost their only one. Security experts are quite expensive.

App development agencies spend their resources and time on perfecting the look and feel of the mobile app; after all, that’s what they’re paid for.

And do you know why? Our digital generation is asking for, no, demanding it.

User experience determines the acceptance, thus the success of a mobile app.

The last group of people are security officers who are responsible for the overall information security within the enterprise. They are busy because there are few of them compared to other roles in the company. If they are not busy, something is wrong. Security officers are not invited to every business or technical meetings for reasons we’ll get into later.

In every Hollywood blockbuster, there is a hero who does superheroic things to save the day. The person who spearheads a mobile project, delivers a cool app or guides his enterprise through a digital transformation is seen as the hero. On the contrary, security officers are villains who cause trouble and make life difficult for the hero.

There are holes in your assumption

The mobile business owner thinks that the responsibility for application security rests with the developers and implicitly assumes that it will be completed during the course of the project.

Application developers, confident with their knowledge and skills, believe that they have "security solved," which often translates to a "good enough" approach based on their judgment. ^[4]

It is important to understand that application developers are not security experts. Their primary skill set is frontend coding and maximizing the User Experience (UX). They are trained to ensure the application contains required features and business functionalities. They are focused on the User Interface (UI) to make their application easy to interact with and beautiful to look at, and not so much concerned with security side meaning their judgments about what is appropriate in terms of security is far off course.

The average talk time at developers' conferences about security topics is only 3%. The status quo of this digital generation is that a mobile app has to be beautiful. Secure? Not so much.

This belief puts enterprises and their app users at risk.

Security officers have a completely different view on this topic, but unfortunately, they have very little power over the project, and often arrive at the scene too late.

They are firefighters, but from the project perspective, they are the saboteurs who derail the project with their “hypothetical” questions and construct barriers to prevent a mobile app from being released to production.

Application security obviously takes a backseat; if it even makes it to the backseat to join the ride.

This is a recipe for catastrophe

When the mobile app is finally completed and launched, the time bomb starts ticking.

Counting down to the day it will get hacked.

We live in a time of not IF but WHEN you will be hacked.

The invoices are paid and the developers are gone. The responsibility to operate the app now solely lies on the shoulders of the mobile app owner.

When a cyber breach happens, attackers encounter only “good enough” security implementation – assuming that average security survived throughout the project phase – from the people who don’t understand application security and didn’t get paid to do it.

The barrier is only green grass

There is no barrier for hackers who spend years or even their whole life living in the virtual world, looking for loopholes and weak points to exploit. We’re talking about an uneven chess game between a grand master and a weekend hobbyist. And the hobbyist is not PRESENT at the chessboard when the final check-mate is declared.

An industry average response time to a cyber breach can take up to more than 250 days. ^[5]

That goes to show how well we play chess. We only realize that we lost the game more than half a year later.

In 2015, we lost more than $50 billion ^[6] globally playing this game and this number will only increase.

A billion dollar question

There is a big opportunity and a huge prize for those who crack this problem and challenge responsible people to do the right thing and lead us on this digital journey not only through the grand user experience but also with a sense of safety and security in mind.

It won’t be easy, but it’s a step we have to take.

The digital world can be safe. We’ve built a safe physical world, so we can build a safe digital world too.

If you’d like to get a true assessment of the security of your mobile application and its backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your mobile solutions.

Reference

1. http://www.eweek.com/security/mobile-security-breaches-hit-68-percent-of-firms-in-the-last-year.html
2. https://www.arxan.com/wp-content/uploads/assets1/pdf/state-of-security-app-economy.pdf
3. https://www.teskalabs.com/blog/situations-where-mobile-app-security-best-practices-is-necessary
4. https://www.teskalabs.com/blog/golden-age-of-black-hats
5. https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF
6. http://www.squaremilebroking.com/cyber-breaches-cost-businesses-50-billion-last-year/

About the Author

Ales Teska

TeskaLabs’ founder and CEO, Ales Teska, is a driven innovator who proactively builds things and comes up with solutions to solve practical IT problems.