Applications are essential to the business ecosystem, with the average company spending $34 million on app development alone. They aren’t just being used for revenue generation, either. They create a crucial link between companies and their customers—and also an entry point for hackers.
When it comes to mobile app security, the numbers are alarming:
- Almost three-quarters of apps would not pass even a basic security test.
- 83% of apps have at least one security flaw.
- Mobile security vulnerabilities are found in 91% and 95% of IoS and Android apps, respectively.
If your enterprise has an app, do you know the risks and are you prepared to counter them?
In Intertrust’s State of Mobile App Security 2020 report, you’ll learn more about the different mobile operating systems and their vulnerabilities, plus what developers can do to secure apps.
State of mobile app security 2020—Report recap
What will you find inside? Keep reading for a full synopsis.
Current mobile app market
The use of apps is skyrocketing. The market is already worth over $150 billion and is expected to grow at nearly 20% through 2023. This is hardly much of a surprise, though, when one looks at the numbers. Over 1.7 billion smartphones are shipped every year, and 92% of the five hours a day that smartphone users spend on their phone is spent interacting with apps.
The threat to apps
Unfortunately, the massive rise in app usage has caused a rise in attempts to hack applications and use them to steal private data. Hackers use a wide variety of methods to breach mobile app security, which fall under four main categories.
- Attacks on physical security: Hacking or phishing passwords for devices, accounts, and apps; jailbreaking devices to run apps outside of operating system restrictions.
- Attacks on network security: Compromising the connection between a device and a network; exfiltrating data through redirected requests; man-in-the-middle attacks to siphon private information being sent over a network.
- Malicious applications: Malware takes the form of applications and programs which masquerade as being safe or useful while stealing data or corrupting a device. They are often “spoofed” versions of genuine apps from trusted sources.
- Exploiting vulnerabilities: Hackers use reverse engineering to locate vulnerabilities in apps, devices, and operating systems. They can then use these vulnerabilities to bypass mobile security features or extract hardcoded encryption keys.
iOS versus Android
Considering how prevalent apps are in our lives and how much personal data they contain, it is disappointing that mobile app security hasn’t managed to keep up with the needs of developers and users to be protected from attack. The analyst firm Gartner estimates that almost three-quarters of apps would not pass even a basic security test, while researchers at Veracode found that 83% of apps have at least one security flaw.
This is true for both iOS and Android users, with Veracode finding mobile security vulnerabilities in 91% and 95% of apps in both operating systems, respectively. Every year, hundreds of vulnerabilities in the two major operating systems are discovered, and hackers use many of them to devastating effect. For example:
- Android: Hackers exploited the code in its libStageFright library, which Android used to automatically process certain multimedia messages. This meant that attacks could be made on a device simply by sending a message to it, without even being opened by the user.
- iOS: A vulnerability in its mobile app development environment, Xcode, meant that thousands of apps were infected at the source with malicious code before being distributed to users.
Mobile security for IoT devices
It is not just smartphones and their operating systems that are under threat. Internet of Things (IoT) devices, which are also becoming increasingly popular and widespread, are now a major target for hackers. Current estimates show IoT devices will be generating nearly 80 billion zettabytes of data by 2025, these devices and the applications that run them could be a goldmine for hackers looking to steal private information. It doesn’t help that most remote IoT devices are not protected by strong app security.
- Cars: With increased computing power comes increased attacks on automotives. Hackers have exploited various vulnerabilities in connected cars, enabling them to open and start them illegally, track their movements via GPS, and even gain the ability to turn the engine off while in motion.
- Home: Connected home systems offer attackers the opportunity to harvest vast amounts of data about user behavior as well as gaining access to home services such as cameras and alarm systems.
- Healthcare: IoT devices have the potential to revolutionize healthcare by remotely transmitting patient status data to medical professionals and delivering personalized treatment via programmed instruction. However, these same devices and apps also increase the attack surface, threatening the health of patients and putting their data under threat.
Costs to business of poor mobile app security
For companies, applications becoming such an integral part of their business means that data breaches and lapses in security can have huge associated costs. In the US, this can amount to $242 per record stolen, which makes the average cost to an organization of a data breach more than $8 million compared to a global average of $3.95 million.
More than a third of this cost comes from business disruption, such as system downtime and the damage to consumer trust, which leads to increased customer churn while also making it harder to acquire new customers.
What can organizations do to improve application security?
App security is lagging far behind the growth in the usage and importance of applications. To bridge that gap, organizations need to start improving the basics of their app protection to:
- Make secured-by-design the norm
- Improve server-side controls
- Make reverse engineering of applications more difficult
- Keep cryptographic keys secure and ensure they never appear in the clear
- Maintain a high level of standard encryption for all data
Intertrust fortifies your application security
Intertrust whiteCryption application security solutions provide organizations with industry-leading protection for their applications and keys. whiteCryption Code Protection delivers advanced code obfuscation and anti-tampering technologies. whiteCryption Secure Key Box employs white-box cryptography to ensure that cryptographic keys never appear in the clear, even when in use.
To find out more about the current state of mobile app security, download the full report.