Mobile App Security
When the WannaCry ransomware worm spread across the world and onto our TV screens in May, it left a trail of data devastation and many NHS hospitals in the UK were forced to cancel appointments and postpone surgical procedures. It has been estimated that the global cost to businesses could run as high as £3 billion.
Such incidents serve as awareness beacons that data security is important. Yet they are soon forgotten by too many businesses, and the pre-attack status quo restored.
This cyber-complacency is particularly evident when it comes to the world of mobile applications; increasingly seen as a route to valuable data by threat actors. It's not that organisations shouldn't know better; they have years of experience in protecting network assets. Experience which dictates that threat actors will always evolve to exploit new vulnerabilities. Something that applies to mobile assets as well. And with research disclosed at the RSA security conference in San Francisco earlier this year revealing that 80 per cent of enterprises use more than 10 mobile business apps, there's no denying that the use of apps is on the up.
A recent ING mobile banking survey revealed that people in Europe using mobile banking has increased from 41% in 2015 to 47% in 2016, a figure expected to rise to 63% by the end of this year. In its 5th 'State of the App Economy' report ACT (The App Association) noted that smartphones had gone from "being a cool toy for the tech savvy to the most powerful and distributed computing platform in the world.
The negative reach of that power can be demonstrated by a single breach, caused by a single vulnerability that damages customer trust and loyalty. That's a harsh reality that businesses have got to wake up to. Especially considering that rise in app usage is also mirrored by the ‘bad guys’, with the mobile security threatscape now littered with vulnerabilities.
If that weren't bad enough, threat actors are naturally shifting their focus towards the money: and that means your data. Kaspersky Lab research shows mobile ransomware activity increased by 3.5 times in the first quarter of 2017 compared to the last of 2016. That equated to some 218,625 mobile Trojan-Ransomware installation packages detected.
We are already experiencing the reality of security being seen as an optional extra rather than part of the core design within the Internet of Things world. The same mistakes are being made by app developers, yet these are not receiving the same kind of media attention. Yet.
What does this mean for organisations developing and issuing mobile apps as part of their service offering and for businesses using them in their daily operations? - Insecure apps will be exploited by threat actors and customer or corporate data will get exfiltrated. That is as inevitable as the damage to your business brand when the breach gets disclosed. One recent report revealed that more than three-quarters of consumers would change providers if an app was discovered to be vulnerable, or a competitor had a similar but more secure offering.
And let's not forget the financial implication of a data breach, especially when the EU General Data Protection Regulation (GDPR) comes into force in May next year. GDPR brings with it truly punishing fines of up four per cent of annual global revenue or €20 million - whichever is greatest! An A10 networks study shows employees take less care with business apps than personal ones as they "believe the IT department will protect them."
Potential customers will also see the business using the app as being at fault, not the app developer; that's perhaps unfair, but it's the reality. Ensuring mobile security is integrated into the app development process is therefore key. Retrofitting app security after the core development process will never be as effective as incorporating it from the get go. Which is where offerings such as G+D Mobile Security's Trusted Application Kit (TAK) come into play. It's a mobile software development kit (SDK) for app developers that is built into the design process, and not retrofitted afterwards.