There is a reasonable chance you are reading this blog using an app on a mobile device. As of 2019, 53% of all internet traffic was from mobile devices such as smartphones and tablets (and growing). And if you are reading this on a smartphone app, then it’s a near-certainty the device you are using is susceptible to threats right this moment. Our own internal data shows 100% of organizations protecting their mobile endpoints with Zimperium have detected and prevented threats and attacks.
This is the new reality when “there’s an app for that” is less of an exaggeration and more of a simple observation. The number of tablet users exceeded 1.3 billion in 2019 and smartphones are expected to near 3.5 billion in 2020. To make all of those devices useful and fun, there are more than 5 billion apps available to download from Apple and Google stores. As a result, according to one app development service, people spend 90% of their mobile time on apps.
And the numbers are growing. Mobile market data firm App Annie expects downloads to hit 258 billion by 2020 and to account for $157 billion in consumer spend. Mind you, that figure applies exclusively to app purchases – the amount of money flowing through the internet through apps is considerably higher. By 2021, mobile commerce is expected to constitute 54% of total ecommerce sales.
Having been an app developer and an app development consultant in the past, I have developed keen awareness of the security perils in app development. And the numbers we cited above make it abundantly clear we should be taking app security seriously.
Why we don’t take mobile app security seriously
It is both a surprise and mystery why many enterprises don’t take mobile app development security seriously. Part of the problem may be that smartphones are tiny devices, certainly in comparison to desktops and laptops. Perhaps the thinking is a smartphone is such a small device, how much damage can it do?
The reality is, thanks to the apps on it, a smartphone probably has more access to corporate resources and assets than anything else that touches your corporate network. Mobile apps create a massive extension of your network’s surface area, and they are an incredibly weak link in your network security.
Another reason businesses may underestimate the importance of app security is that enterprise servers reside in heavily fortified data centers. They are protected by robust firewalls and complex defense-in-depth strategies. Enterprises may feel their data is well-protected.
Unfortunately, any feeling of confidence about the security of your servers is an illusion once mobile is part of the picture. When someone hacks one of your employees’ mobile devices, they effectively become that employee, with all the access the employee has. Most of your existing security measures are not going to work.
Need more convincing? Here are three key reasons mobile app security should be an enterprise’s top priority.
Reason one: Mobile app security is complex
Mobile apps are becoming increasingly sophisticated. Some apps, for example, can enable complex financial transactions. Some can access, share and store sensitive corporate and/or personal data. An app might have much the same access to customer records or corporate intellectual capital as any well-secured and physically inaccessible corporate desktop—but minus the security and with far greater physical accessibility. As such, apps can have a significant impact on brand and personal reputation.
To protect apps adequately, companies and developers need visibility to the app not only during its development but once the app is deployed. Continued visibility enables protection and provides insights into threats that help developers better prepare future versions.
Reason two: Mobile app security failures can be disastrous
To get a feel for the scope of the challenge, consider the recent case involving Jeff Bezos. The CEO of Amazon and one of the world’s richest men, Bezos had his phone hacked when he received a WhatsApp message. Along with the message, the hacker delivered a hidden payload of encrypted code. It’s easy to imagine what a hacker could do once they gain access to the smartphone of such a well-connected and influential person.
Once your phone has been compromised you can no longer trust it. Apps can have access to your phone’s camera and microphone, meaning they can potentially record you without your knowledge. And they have access to audio, video and photographic data already on your device.
Reason three: Mobile app security must span the entire development lifecycle
Enabling effective app security is a process. It requires actions and processes at every stage of development. Apps must be secure beginning with their stated requirements and design.
As well, it is vital to verify security and privacy during the app’s development and during build time. You may need to ensure the app’s security prior to launch and you inevitably need to keep it secure while it is deployed and in use on the user’s device, i.e. during runtime.
How Zimperium helps secure apps
Zimperium helps you protect apps throughout the software development lifecycle. Our Mobile Application Protection Suite (MAPS) identifies security, privacy and compliance issues during development and protects apps while in use.
zScan provides continuous protection and verification during app development. zShield enables protection during app build and launch. And zDefend embeds Zimperium’s award winning machine learning based detection into apps so that they remain protected even during runtime on the user’s mobile device. To learn more about MAPS, watch our on-demand webinar.
All Zimperium solutions connect to the same backend to provide a comprehensive view, analytics and reporting from the threat data. If you’d like to know more, please reach out. We look forward to hearing from you.