We Know Why 85% of Mobile Apps Suck in Security. Do You?
If you are using a mobile app, you are screwed!
Let’s consider the following facts. 68% of enterprises  have reported mobile breaches which cost them $50 billion every year.
In other findings from Arxan ,
- 5% of popular apps that contain professional anti-hacking tools.
- More than 90% of top paid mobile apps have been hacked including 92% and 100% of Top 100 paid apps for Apple iOS and Android
- 40% and 80% of popular free Apple iOS and Android apps were found to have been hacked.
The above statistics means that 9 out of 10 apps on your smartphones and tablets can be hacked, and almost every popular app has already been hacked.
Don’t you think it is a bit absurd when you ask yourself this question: “Do I live in a house without a lock on its front door?”  Mobile app security is like the lock for your mobile app. You don't leave security decision about your house to your builders, so why are you doing that with your mobile apps?
Something is fundamentally wrong.
We’ve seen things you wouldn't believe.
In just the past 12 months, we’ve come across 100 mobile app projects at different phases: initial analysis, development, testing, deployment and after go-live. We’ve had conversations with more than 300 professionals active in the enterprise mobility space. From the enterprise side, we’ve talked to C-level executives, security officers, mobile directors/managers. We’ve also met founders, app developers, project and account managers from third-party development agencies.
We observed, asked questions, and uncovered the underlying problem that caused the current miserable state of mobile application security. Despite the fact that mobile breaches have cost enterprises a fortune, mobile, or to be precise mobile application, security still sucks.
The answer doesn’t lie in technology but in us.
Who shows up at your mobile app project?
A typical mobile app project consists of 3 different kinds of people: 1) mobile app owner; 2) software developers, UX designers, IT architects; and 3) security officers.
A mobile app owner is a non-technical person in charge of the direction of the project and the delivery of the app. S/He’s responsible for the business case, the budget, stakeholder management and not the low-level technical details.
Software developers, UX designers, IT architects are usually employed by the third-party mobile app development agency. Mobile app development agencies either have no security experts or have just lost their only one. Security experts are quite expensive.
App development agencies spend their resources and time on perfecting the look and feel of the mobile app; after all, that’s what they’re paid for.
And do you know why? Our digital generation is asking for, no, demanding it.
User experience determines the acceptance, thus the success of a mobile app.
The last group of people are security officers who are responsible for the overall information security within the enterprise. They are busy because there are few of them compared to other roles in the company. If they are not busy, something is wrong. Security officers are not invited to every business or technical meetings for reasons we’ll get into later.
In every Hollywood blockbuster, there is a hero who does superheroic things to save the day. The person who spearheads a mobile project, delivers a cool app or guides his enterprise through a digital transformation is seen as the hero. On the contrary, security officers are villains who cause trouble and make life difficult for the hero.
There are holes in your assumption
The mobile business owner thinks that the responsibility for application security rests with the developers and implicitly assumes that it will be completed during the course of the project.
Application developers, confident with their knowledge and skills, believe that they have "security solved," which often translates to a "good enough" approach based on their judgment. 
It is important to understand that application developers are not security experts. Their primary skill set is frontend coding and maximizing the User Experience (UX). They are trained to ensure the application contains required features and business functionalities. They are focused on the User Interface (UI) to make their application easy to interact with and beautiful to look at, and not so much concerned with security side meaning their judgments about what is appropriate in terms of security is far off course.
The average talk time at developers' conferences about security topics is only 3%. The status quo of this digital generation is that a mobile app has to be beautiful. Secure? Not so much.
This belief puts enterprises and their app users at risk.
Security officers have a completely different view on this topic, but unfortunately, they have very little power over the project, and often arrive at the scene too late.
They are firefighters, but from the project perspective, they are the saboteurs who derail the project with their “hypothetical” questions and construct barriers to prevent a mobile app from being released to production.
Application security obviously takes a backseat; if it even makes it to the backseat to join the ride.
This is a recipe for catastrophe
When the mobile app is finally completed and launched, the time bomb starts ticking.
Counting down to the day it will get hacked.
We live in a time of not IF but WHEN you will be hacked.
The invoices are paid and the developers are gone. The responsibility to operate the app now solely lies on the shoulders of the mobile app owner.
When a cyber breach happens, attackers encounter only “good enough” security implementation – assuming that average security survived throughout the project phase – from the people who don’t understand application security and didn’t get paid to do it.
The barrier is only green grass
There is no barrier for hackers who spend years or even their whole life living in the virtual world, looking for loopholes and weak points to exploit. We’re talking about an uneven chess game between a grand master and a weekend hobbyist. And the hobbyist is not PRESENT at the chessboard when the final check-mate is declared.
An industry average response time to a cyber breach can take up to more than 250 days. 
That goes to show how well we play chess. We only realize that we lost the game more than half a year later.
In 2015, we lost more than $50 billion  globally playing this game and this number will only increase.
A billion dollar question
There is a big opportunity and a huge prize for those who crack this problem and challenge responsible people to do the right thing and lead us on this digital journey not only through the grand user experience but also with a sense of safety and security in mind.
It won’t be easy, but it’s a step we have to take.
The digital world can be safe. We’ve built a safe physical world, so we can build a safe digital world too.
If you’d like to get a true assessment of the security of your mobile application and its backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your mobile solutions.
Most Recent Articles
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
- Entangled ways of product development in the area of cybersecurity #1 - Asynchronous or parallel?
- State machine miracle
You Might Be Interested in Reading These Articles
A new EU regulation, European General Data Protection Regulation (GDPR) has been proposed to improve the data protection of individuals. This regulation is the subsequent to the 1995 directive. It was agreed on 17 December 2015 and its implementation starts from 2018.
Published on July 12, 2016
The hack on the Italian-based firm Hacking Team revealed that exploiting is not just done by black hats and bad hackers but can be committed by a legitimate company. A dump of 400 gigabits email revealed that the company was involved in zero-day exploits.
Published on August 04, 2015
Apple will want to dominate the market for TV apps. To achieve this objective, it’s understandable that Apple makes it easy for app developers to create apps and games for the Apple TV platform using tvOS and profit from them just as they have already done so for the iPhone and iPad devices. Developers can leverage similar frameworks and technologies since tvOS is just a modified version of the iOS. They can even retrofit the apps that were previously developed for iOS to support the Apple TV’s tvOS.
Published on June 29, 2016