Security should be a top priority for mobile app developers. While this may seem obvious, statistics show that mobile app security is shockingly weak for many popular apps across industries. This is bad news for consumers who trust apps with sensitive data like passwords and financial information. It’s also bad news for brands, since data breaches and app hacks are some of the quickest ways to lose customers’ trust – and business.

Keep reading for an overview of the importance of mobile app security, the most pressing vulnerabilities, and best practices for mobile app design and delivery.

What is mobile app security?

As the name implies, mobile app security describes the strategies and tools used to secure the source code, data, communications, and other crucial elements of mobile apps. Mobile app security isn’t simply one step in the app development process; rather, it should be built into every stage of an app’s lifecycle, from design to release to maintenance through updates, patches, and testing.

This security-by-design approach dictates that security be multi-pronged and ongoing. The pillars of mobile app security are secure app development processes, the use of app protection technologies, and regular post-release penetration testing.

Why mobile app security matters

Insecure apps are a hacker’s haven.

Data is a trillion dollar industry, and more data than ever is stored in today’s mobile apps. This makes mobile apps attractive targets for hackers. The less secure an app is, the more incentive hackers have to try and breach its defenses, because the benefit of accessing private data or IP is so high.

App security correlates to consumer trust.

Conversely, a high profile app security breach can do major damage to customers’ confidence in the app, not to mention the brand’s reputation as a whole. Answers from a 2019 Ping Identity survey reflected consumers’ increasing unwillingness to do business with brands associated with data breaches or app vulnerabilities:

• 81% of consumers would stop engaging with a brand online after a data breach
• 63% of consumers said they always expect a company to protect their data
• 33% of consumers have stopped using a device, app, or service after a frustrating login experience

The last statistic in particular points to the importance of finding a balance between good UX and mobile app security. While customers want to be able to log in and use an app without too many barriers, they also want to know that the login process is secure enough to protect their passwords and other sensitive information that may be shared during the session.

Breaches and hacks mean high costs and lost revenue.

Any money developers save by cutting corners on mobile app security becomes meaningless fast in the face of the high costs associated with data breaches and app hacks. For one thing, the theft of IP and patented information can dilute your brand’s competitiveness and even lead to massive legal fees if litigation is pursued. In addition, damaged customer trust after a security breach and the loss of business that will likely follow mean an overall loss of revenue.

The most common mobile app vulnerabilities

The current landscape

As of 2020, statistics on app vulnerabilities in several key industries remained worrisome. The sectors most targeted by hackers – banking & financial services, healthcare, pharmaceutical apps, and communications – all saw major attacks as hackers sought to take advantage of the sensitive data users entrust to these types of apps, including personal information, bank accounts, credit card numbers, medical information, and more.

A recent study by the Synopsys Cybersecurity Research Center (CyRC) analyzed Android (News - Alert) app security, focusing on the following key areas: vulnerabilities, information leakage, and permissions. It found that the majority of apps analyzed – a whopping 80% – contained vulnerabilities.

The study also found that a significant number of apps leave sensitive information in the source code, which can easily be misused if accessed by hackers. Finally, several apps required excessive permissions, with banking, payment, and budgeting apps ranking in the top 3 for most permissions required. High numbers of permissions mean high levels of communication between an app and your device – i.e., all the data stored there – creating more opportunities for a security breach.

OWASP Top Ten

The Open Web Application Security (News - Alert) Project (OWASP), an organization working to improve software security, maintains a list of the top 10 security vulnerabilities web developers should work to mitigate. Currently the list includes:

1. Injection flaws
2. Broken authentication
3. Sensitive data exposure
4. External entities
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components (such as libraries) with known vulnerabilities
10. Insufficient logging and monitoring

Mobile app security best practices

Taking a holistic approach to mobile app security means building security into every step of an app’s lifecycle, from development to testing to release and beyond. The following list includes the bare minimum best practices app developers should implement to ensure mobile app security:

Use secure app design best practices.

Security should be built in from day one. Design best practices for mobile app security include knowing what’s in your code, knowing how your app will be used, using the right tools for testing, creating security requirements, and enabling developers to design securely (rather than incentivizing them to push apps live before they’ve been fully tested and protected).

Protect sensitive data such as source code and keys.

Mobile app development needs to incorporate specific strategies for protecting all of the sensitive data that gets communicated and stored during app use. This includes:

• Secure key management
• Code obfuscation
• Strong encryption of data and communications

Consider runtime vulnerabilities.

Security strategies should also incorporate protections that operate while the app is in use, such as:

• Tamper-detection technologies – these detect attempts at tampering by analyzing the app environment in-use
• Runtime Application Self-Protection (RASP) – technologies designed to find and halt attacks in real time
• Enforcement of session logouts
• Multi-factor authentication

Manage risk post-release.

Beyond starting the development process with a thorough risk analysis, developers should regularly patch vulnerabilities and perform regular penetration testing after the app’s release.

Use third-party libraries with caution.

Third-party libraries can be convenient for developers and in most cases cannot be completely eliminated from the development process. However, developers should analyze any potential libraries carefully.

Mobile app security is non-negotiable

With data breaches and app attacks so high and consumers more concerned than ever about data privacy, it’s clear that mobile app security should be top of mind for app developers across sectors. While these best practices cover the basics, the mobile app security landscape is always shifting and hackers are constantly finding new ways to exploit vulnerabilities. App developers can help themselves and their customers by making it as hard as possible for attackers to get what they want.