2020 had already seen massive growth in app usage, even before the global pandemic led to forced remote working, e-learning, and an overall greater preference for online services. Globally, app usage grew 40% during the pandemic, and spend on the two main app stores (iOS and Android) reached a record $112 billion. Certain sectors, in particular, saw steep increases in downloads and usage, including:
- Downloads of Zoom’s app increased 3,000% due to the increased demand for remote video-conferencing
- Medical apps, such as WebMD and Doctor on Demand, grew about 65% globally
- Banking apps grew by more than a third in the US during Q1 2020 and more than 80% in places like Japan and South Korea
- Retail app usage soared, with mobile commerce estimated to account for 42% of holiday shopping this year
However, as we observed in 2020, app security did not improve in line with these growth figures. In many cases, increased use only highlighted security flaws and made apps even bigger targets for hackers. Combined with rushed app development and issues with scaling security capacity to handle increased workloads, 2020 has not been a good year for app security.
The state of mobile application security in 2020
App security is a major risk for businesses, as we observed in our annual report. With the average cost of data breaches in the US hovering around $8 million (and $3.95 million globally), not to mention damage to consumer trust and regulatory fines, app security should be foremost in the minds of security professionals around the world. Unfortunately, research shows that app security vulnerabilities are apparent in 95% of Android apps and 91% of those on iOS.
The main attack vectors that hackers use to gain access to apps and steal data are:
- Attacks on physical security
- Attacks on network security
- Malicious applications
- Exploiting vulnerabilities
Knowing where threats are going to materialize from is only part of the battle. Robust app security needs to be built into the software development lifecycle (SDLC), including secure app design principles and in-app protection strategies.
Due to the high value of the data that can be stolen, certain sectors are also more prone to attack than others. Throughout 2020, we looked at app security in two of these critical sectors in extensive detail: fintech and healthcare.
The state of financial app security in 2020
This year, mobile banking and financial apps saw tremendous growth in downloads, sessions, and time spent in-app due to reduced physical transactions caused by COVID. This also led to a surge in attacks on banking apps worldwide, with hackers looking to capitalize on rushed app deployments and security fatigue among users. Our audit of the 100 biggest financial apps revealed some worrying insights into their security vulnerabilities and the risks they present to organizations and their customers.
Our research showed that nearly every app (98%) had at least one type of security vulnerability, based on the OWASP Mobile Top 10 Security Risks. Even more serious was the fact that 71% of the apps contained a high-level security risk, according to the Common Vulnerability Scoring System.
Some of the key data we uncovered about financial app security included:
- Over 90% of the financial apps we tested had four or more vulnerabilities
- Data and code were being put at risk by mishandled and/or weak encryption, which was an issue in 82% of the financial apps we looked at
- Weak protection against key extraction put 62% of Android and 32% of iOS apps at risk for critical attacks
- Insufficient transport layer security, exposing data and session IDs and enabling man-in-the-middle attacks, was an issue for 34% of the Android and 16% of the iOS apps tested
Despite the high prevalence of security flaws in financial apps, our research also found that nearly 70% of serious vulnerabilities can be mitigated by deploying in-app protection.
The state of healthcare app security in 2020
With the surge in popularity of telehealth and other medical apps, the mHealth app market is predicted to be worth over $130 billion by 2022. As medical records fetch extremely high prices on the black market, healthcare apps are major attack targets. This year brought even greater incentive for attack given the rushed nature of many healthcare apps, which provided low-hanging fruit for cyber criminals.
To judge the status of healthcare app security in 2020, we tested 100 apps across four popular categories: health commerce, medical devices, telemedicine/patient engagement, and COVID-tracking. Here are some of our most striking discoveries:
- 100% of Android mHealth apps and 72% of iOS ones had four or more vulnerabilities
- Mishandled and/or weak encryption was an issue for 91% of the apps investigated
- 85% of COVID-tracking apps leaked data
- 80% of health commerce apps had seven or more vulnerabilities
- The greatest prevalence of high-risk security threats was among telemedicine apps, with 80% containing at least one high-severity vulnerability
Similar to our findings for financial mobile app security, however, our research revealed that 83% of high-level threats can be mitigated if the app developers or distributors use in-app protection.
Application security in 2021
Mobile apps are now the norm, with the COVID pandemic accelerating digital adoption by up to five years. Until organizations do a better job of integrating security into their SDLC, app providers and their customers face major security risks. Our own research into two prominent sectors exposed major gaps in their mobile app security, but the risks pertain to all industries.
Fortunately, most of these can be mitigated by applying in-app protection techniques, meaning that 2021 can be a year when app security reaches the level that businesses need and users deserve.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.