Your Mobile App Security Guide: Averting Common Threats
With the popularization of mobile apps for work and leisure, security became brands’ constant challenge. Learn how to protect your corporate mobile ecosystem and customer privacy from exploits.
Mobile applications have taken the business world by storm. Employee-facing mobile tools became a staple at digital-first, decentralized and agile workplaces, while also facilitating remote work. Simultaneously, enterprises are actively adjusting their value propositions to the demands of the mobile-centric world. Relying on mobile app development, brands across sectors enable more convenient and user-friendly experiences for their customers.
On the downside, this proliferation of mobile applications expanded the corporate attack surface and brought about an increase in business-targeted security exploits that inflict financial struggles and reputational damage on companies. In this context, ensuring mobile app security becomes a major source of concern for enterprises.
This guide is designed to help companies navigate the modern threat landscape and embrace a comprehensive and sustainable security strategy for employee- and customer-oriented mobile tools.
What Caused Mobile App Security Incidents in 2020
In terms of mobile security, this year has been a turbulent one for the business world. According to the latest Mobile Security Index report by Verizon, 39% of organizations experienced a safety incident that involved a mobile or IoT device, compared to 33% in 2019 and 27% in 2018; in two cases out of three, the financial, reputational and regulatory consequences were major.
This increase is particularly distressing given that today businesses are more attentive to their security and less likely to sacrifice mobile protection for the sake of expediency or convenience. On the one hand, it can be attributed to a spate of activity from cybercriminals, who took advantage of the growing importance of mobile amid the lockdown and the pivot to telework. On the other, we shouldn’t rule out the possibility that this amplified security awareness affected the final percentage, as it allowed companies to identify incidents as specifically mobile-related. The truth is, as always, likely to lie in the middle.
To understand the mobile security landscape better, let’s look into the safety risks that plagued consumer and corporate mobile applications this year.
Phishing is a social engineering type of attack where trustworthy entities are replicated or imitated to convince the victim to open a malicious link or message or submit personal information in other ways. Phishing scams appeared in the 90s and remain the most persistent security threat of today.
To keep their exploits successful against the evolving defense mechanisms, hackers constantly come up with new complex phishing schemes. Email applications would be an obvious ground for a phishing scam, but with companies implementing filtering tools and users growing warier of suspicious text communications, cybercriminals had to diversify their delivery mechanisms. Of late, mobile apps earned their special attention.
As a result, 87% of successful mobile phishing attacks occur outside of email, state the 2020 Mobile Threat Landscape Report by Wandera. Cybercriminals exploit social media, messengers, retail apps, productivity tools, and mobile games. There has also been a rise in phishing scams targeting banking apps: in one case, the fraudsters went as far as modifying a Spanish bank app to steal user credentials and upload it to the App Store. CEO fraud is another novel type of phishing scams where cybercriminals impersonate senior executives and ask employees to make a corporate funds transfer.
Why is mobile phishing particularly effective? For one thing, smartphone screens are smaller, so it’s harder to see the difference between the official app page and a fraudulent one. People also tend to operate mobile phones at a higher speed and log in credentials almost automatically. What is more, there are many techniques for disguising malicious URLs and presenting them inconspicuously, such as punycode or homoglyphs.
Malware is malicious software that aims to gain access to sensitive data or undermine a device’s functionality. Today, malware comes in all shapes and sizes: from adware, an annoying but harmless solution that displays unwanted advertisements, to ransomware that steals sensitive data for ransom, to spyware that allows hackers to monitor a device owner’s activities.
Cryptojacking is a novel type of attack that has already managed to affect many via the mobile channel. This malware utilizes an infected device’s resources to mine cryptocurrency, draining its power and resources. In the long run, cryptojacking may disrupt operations and undermine a company’s performance.
With official app stores growing more stringent about the app quality and security of submitted apps, cybercriminals are forced to come up with imaginative ways of spreading malware. Some upload their malicious apps to non-official stores, disguising them as an entertaining or useful solution in hope that someone keen on sideloading or jailbreaking will download it. Recently, hackers learned to make the malware ‘elusive’ so that it stays dormant for weeks and months or until triggered.
Others may seek out weak spots in popular apps’ new versions or updates, leaving no brand invincible. In May of 2019, hackers exploited a WhatsApp vulnerability to run a malicious code that allowed them to inject spyware into victims’ phones via a simple call. Around 1,400 users of the app’s 1.5 billion audience were affected before the company urgently released an update that patched the security fault.
Wi-Fi connection is another risk point for users of consumer and business mobile apps. While access points at home or in the workplace can generally be trusted, it’s easy to come across a rogue or unsecured access point in public spaces, such as hotels, cafes, airports, supermarkets, etc.
Such connections are fraught with security risks of varying degrees of severity. Gaining control over a poorly secured hotspot or using a fake one, hackers may intercept mobile traffic via a man-in-the-middle attack and steal app credentials, confidential documents, and other sensitive information.
Another attack scenario is malware injections. Intercepting the web server’s unencrypted response before the user gets it, cybercriminals insert the hidden malicious code into it, which goes on to undermine the mobile application and then the entire device.
Aware of the risks, 48% of companies prohibit employees from using public networks for work, while 65% ask to use VPN over a public network, the 2020 Verizon Mobile Security Index discovered. Still, according to the 2020 Wandera report, 7% of users connect to insecure access points each week. One may do it out of critical necessity, for instance, when stuck in an airport with no other connection but a public hotspot. Others break the rules being too certain of the Wi-Fi network legitimacy, but since rogue hotspots assume the name of well-reputed companies and brands, they are impossible for an untrained eye to tell apart from reliable ones.
Physical Device Access
A lost smartphone is a fact of life, albeit not a pleasant one. Yearly, thousands of personal and corporate mobile devices get lost or stolen, and a fair share ends up in the hands of someone who can make use of the owner’s identity or the sensitive information the phone stores. Even though this type of attack is the most obvious to mitigate and prepare for, 20% of companies consider their defenses against mobile theft or loss inadequate, as Verizon found in their report.
Sometimes, criminals don't need to take hold of the mobile phone — a few minutes with an unprotected device can be enough to plant malicious malware. Since most people tend to consider their workplaces a safe zone and don’t hesitate to leave devices unattended, such an attack can easily occur in a large open-space office.
Juice jacking is another common cyberattack that requires physical access to a mobile phone. By tampering with a USB charging station in a public place, a cybercriminal can leak passwords and data from the plugged devices or install malware onto them. Given that 40% of business travelers and 28% of personal travelers often rely on public charging ports according to IBM’s Cybersecurity Threats Growing in Travel and Transportation Industries study, juice jacking poses a viable threat to many people.
Strengthening Corporate Mobile App Security
The common IT security measures fall short of ensuring all-round security of proprietary and third-party applications that make part of corporate workflows. To make it worse, employees often fail to observe relevant safety precautions.
Thus, to render their corporate mobile ecosystems secure and efficient, organizations need to work on their security actions, corporate guidelines, and staff awareness.
Implement Essential Security Actions
First, make sure your company adheres to basic mobile security provisions, such as two-factor authentication, change of default app logins and passwords, and full-disk encryption of sensitive data. You will also need to restrict employees’ access to enterprise apps and stored data based on their job roles. Observing these four measures alone will forestall the majority of mobile app security incidents, both intentional and unintentional.
Another vital security arrangement is shielding your mobile ecosystem against specific attacks. To avert phishing scams, your company can equip each mobile device with a monitoring solution to analyze the incoming traffic and filter out phishing content in emails, app notifications, and texts. Anti-malware software is another indispensable tool for enterprise mobile security, as it scans the device and incoming network data for various types of malware 24/7.
Today, with crimeware growing sophisticated and elusive to traditional antivirus software, AI cybersecurity tools are rising to prominence as a more suitable solution. Drawing on good-behavior models, these tools analyze the mobile device activity and detect malware-related anomalies, such as data transferred in unusual amounts or excessive use of certain resources.
Introduce User Security Guidelines
To regulate the safe handling of mobile applications at your company, you need to enforce a dedicated set of requirements and practices. The policy should encompass such aspects as installation of third-party apps on a provided device, use of personally owned devices for work purposes, and connection to public and private networks.
The document should also detail such crucial mobile security actions as timely patching and updating, cache management, regular changes of credentials, and so on. Above all, it should oblige employees to report lost or stolen devices, security incidents, and cases of unauthorized access.
No matter how much you trust your staff, they still may fail to observe corporate security guidelines due to their particular circumstances or out of neglect. When shell-proof security is a crucial component of your service or a major competitive advantage, you can retrofit your mobile ecosystem with automatically enforced security controls, preventing employees from violating certain key policies.
Raise Employees’ Awareness
Having security monitoring tools and robust safety regulations is essential for corporate mobile security, but companies should refrain from pinning all hopes on them. With hackers continuously innovating their attack methods, the software may sooner or later let something slip through defenses, while security rules, as mentioned above, can be ignored.
In an environment allowing mobile connectivity, security becomes a shared responsibility, so the decision to keep employees in the dark about relevant safety risks and their consequences is highly likely to result in an unintentional breach. Thus, your company will achieve a far sounder mobile ecosystem protection if you raise employees’ awareness of device and app security.
This corporate training program should educate employees about general and domain-specific mobile security threats and vulnerabilities and how they can undermine business operations. You need to teach your staff to recognize phishing messages and notifications, identify suspicious links and apps, discern suspicious mobile activity, and report these threats. Since new malware, phishing scams, and network threats appear almost daily, it’s important to regularly update employees’ knowledge.
Ensuring a Safe App Experience for Consumers
The security of customer mobile apps is another source of deep concern for businesses. For one thing, retrofitting an app with multiple advanced protection layers is bound to not only make it cumbersome and diminish its user-friendliness but also to prove expensive to maintain. Over and above, no brand can compel their customers to observe the necessary security precautions or install monitoring solutions.
To safeguard customers from mobile security troubles without subjecting them to limitations, companies need to balance the following strategies: security-first development, continuous refinement of the app source code, and customers’ security education.
Make Apps Secure by Design
A dismaying number of mobile apps are released with inherent vulnerabilities because developers tend to treat security as an afterthought. By integrating software security testing into the development lifecycle, you will build a high-quality mobile app that is resilient to mainstream hacker exploits and stay sustainable in the long run.
Creating a secure-by-design application begins with analyzing domain- and functionality-specific security risks and collecting security requirements. At the design stage, the team should conduct threat modeling to understand how attackers could compromise the software. In their turn, the engineers should implement relevant security controls into the source code and continuously review it for weak spots.
Before releasing the solution to the general public, the app is once more subjected to an all-round security assessment, where all the vulnerabilities in the source code and gaps in the protection mechanisms are detected and mended.
In case you want to outsource the creation of your branded mobile app, it’s recommended you seek out a dedicated development team that not only has relevant skills and experience but also prioritizes the security-first approach and leverages best security practices.
Provide Regular Patches and Updates
Solid source code is not enough to render your customer-facing mobile app impregnable. Down the line, the default security controls may grow outdated and inefficient against evolved exploits. There can be bugs undermining the app’s integrity, too. For this reason, you need to closely monitor the app’s security health and new types of cyberattacks to safeguard it against threats.
Security patches, a set of corrections in the source code, are great tools against imminent security risks. A patch, however, is a single solution to a single issue, usually not a major one. When your mobile app is ridden with security loopholes which make it a permanent target of exploits, or if it employs subpar security controls, then an upgrade is required.
Keep Users Informed
Regrettably enough, your efforts to render your mobile app secure might be thwarted by none other than your customers. Your team may equip the application with sophisticated in-built security controls, but your customer might simply turn off multi-factor authentication for the sake of convenience and fall victim to a mundane exploit. Or you might release critical patches and updates but customers, unaware of their importance, fail to install them, as was the case with the WhatsApp spyware incident. One month after the attack announcement, 20% of devices remained unpatched.
That’s why it is important to educate mobile app users about efficient security practices and why following them is important. Since you can’t hold full-scale security training for each of your customers, you should devise a format that will be both informative and unobtrusive. It is also necessary to keep mobile app users in the know about emerging attacks and how they may look like, as well as providing an escalation if necessary.
Iflexion is up to the job.
Mobile phones were unwelcomed in classrooms until the pandemic placed m-learning at the center of online education strategies. But will the technology stay when students return to schools?
Learn about the pros and cons of using Xamarin as your main mobile development platform. All the advantages and shortcomings of ‘near-native’ cross-platform enterprise development laid out in one guide.
Xamarin in comparison to other platforms and whether it's good for particular kinds of projects. Learn the features that every business executive set on finding the best cross-platform development option should know of.
WANT TO START A PROJECT?