Within the last several years alone, billions of mobile apps have been downloaded by consumers to their smartphones. From chat and messenger, to medical and banking portals that store highly sensitive personal intelligence – information, entertainment, and engagement between companies and their consumers are at the simple touch of a fingertip at all times. Consumers are drawn to the quick accessibility and ease of use, and for companies – the development and launch of the platforms as an extension of their brand has a low cost and barrier to entry that makes it a no brainer for business.
But unlike what we’ve widely deemed “smart” technology – i.e., the phones, cars, or thermostats that are top of mind today – mobile applications somehow still tend to be categorized separately. In spite of the fact that mobile apps live on IoT-enabled devices, collect user data, and continuously loop communication between Internet, cloud services and companies (even when not “in use”), there is a limited view that they are different entities altogether. We see this particularly when it comes to security – or lack-there-of – regarding security standards in place to continuously protect users from detrimental application hacks.
Flying under the radar
According to Intertrust’s State of Mobile App Security 2020 report, “nearly three-quarters of apps would not pass a basic security test, 83% of apps have at least one security flaw, and mobile security vulnerabilities are found in 91% and 95% of iOS and Android apps, respectively.” Between physical security breaches like phished passwords, harmful malware, overall network security breaches, or the detection and exploitation of app, device, and operating system vulnerabilities through reverse engineering – there are plenty of ways that mobile apps have and continue to be targeted by malicious actors.
One problem is the speed at which applications are created and deployed. Developers often overlook rigorous certification and testing during the development stage, keeping their efforts to a high level. The 2020 Verizon Mobile Security Index found that the top reasons for sacrificing mobile app security included expediency (62%), followed by convenience (52%) and profitability targets (46%). Once ultimately launched and then downloaded to users’ phones, apps are also widely undisturbed when it comes to security maintenance long-term. And while there are some scanning tools available, they are limited in scope and capabilities to be effective at identifying and mitigating all potential risks.
Another problem is the lack of regulation and industry standards that increase transparency, establish measurement, and therefore hold developers and companies accountable for meeting set security requirements. While there are many best practices that consumers can take to ward off cyber-danger (i.e., password hygiene or avoidance of sharing sensitive info. in public) in addition to app developers themselves (stronger encryption, Two-Factor Authentication, continuous updates, etc.), these issues require broader efforts from the entire industry at large -- which has yet to be felt at scale.
In turn, apps have become a very easy target for hackers to infiltrate and steal sensitive information and data. In many cases, the success rate is also very low for new applications, and some become vacant or "zombie” apps that live on phones – unattended without updates or monitoring by the app stores. Flying under the radar, these platforms serve as prime targets for hackers to exploit without proper security management, compromising not just singular applications, but unlocking access to entire smartphones and their data once infiltrated.
Over the years we’ve seen numerous examples of brands experiencing breaches to their mobile applications. In 2014, hackers exposed personal info for over four million users of social media platform Snapchat – including usernames and phone numbers. The hackers themselves even came out saying that they were motivated to “raise the public awareness around the issue” and “put public pressure on Snapchat to get the exploit fixed” in a weird twist of events.
Well-known ride-sharing app Uber came under fire in 2017 when it was found to have covered up a 2016 data breach that exposed the names, emails, and phone numbers of 57 million users, 600,000 of which were Uber drivers and their license numbers. It cost the company $100,000 in bribe money to the hackers (yikes) and another $148 million in settled claims (double yikes).
A year later, sports apparel company Under Armour followed suit when its diet and fitness app “MyFitnessPal” was hacked, exposing usernames, email addresses and passwords for 150 million of its users – making it one of the largest data breaches to date.
Needless to say, this has and continues to plague the industry in a variety of ways that if left unaddressed now and in the years to come, will put consumers and employees of these companies at unwarranted risk time and time again.
Cause for change
Some organizations have launched programs to rectify these issues. The open-source security group OWASP, for instance, has done a great job creating the Mobile Security Testing Guide (MSTG) -- a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android. It’s certainly an important step in the right direction.
But without regulation or standardization in place, companies are still left to their own devices to execute against them and are doing so without any oversight or measurement. It's the reason why the ioXt Alliance has gone the next step in leveraging OWASP's guidelines and turning them into specs that are scalable, testable by third-party test labs, and address the most common security issues to successfully improve the security for all consumers in a myriad of ways.
The fact is the same precautions and security measures now used to protect other IoT devices must also relate to mobile applications as in this way. Establishing, following, and enforcing these globally recognized, harmonized standards will in turn offer greater transparency around what users are downloading, strengthen trust and minimize fears, and contribute to increased adoption rates down the line. Building security into the process proactively versus retroactively after a breach has occurred will be what sets companies and their applications up for greater success and keep their users cyber-safe down the line.