Mobile usage continues to grow. Today, the number of Internet-enabled mobile devices is perhaps more than the number of humans in the world. Studies indicate that more than 10 billion mobile Internet devices will be in use by 2016.
Along with Internet-enabled mobile devices, the mobile application industry is also predicted to grow, matching the rising consumer demand that comes with ever-evolving technologies. In fact, already half of the adult cell phone users in the U.S. have multiple mobile app on their phones. And the number continues to climb as it is a “Wild West” for mobile apps out there.
Dedicated mobile apps usage is not just rising, they are in fact dominating mobile internet market. According to a five-year report by Flurry, mobile applications command almost 86 percent of the average mobile user’s time in the U.S., amounting to over two hours usage in a day.
In addition, a large number of Internet users are becoming mobile-first. In December 2014, a Gartner study predicted that over 50 percent of Internet users will opt for smartphones and tablets first for their online activities by 2018. We are yet to reach 2018 and already the mobile-only Internet users have exceeded the number of desktop-only users in the U.S., a recent comScore study indicates.
This is all good, except for one thing that security becomes a major concern as more and more Internet users are becoming mobile-first. Many are also rising this concern: Are these mobile apps really safe to use? Are they well-protected from malicious hackers?
Mobile Apps and the Rising Security Issues
A recent research by Arxan puts this security concern into perspective. The research found that:
• All of the top 100 paid Android apps on Google Play Store had been hacked
• 73 percent of the most popular free apps on Google Play Store had been hacked
• 56 percent of the top paid iOS apps on Apple Store had been hacked
• 53 percent of the most popular free iOS apps on Apple Store had been hacked
The findings of Arnax research are indeed alarming. It is even more frightening for corporate world as a large number of companies are fast adopting BYOD (bring-your-own-device) policies, allowing employees to enjoy a mobile experience event at workplace. And a study by Ponemon Institute indicates that 84 percent of smartphone consumers use one single mobile device for both work and personal purposes, further increasing the risk of business data hacking as it becomes more challenging for IT departments to secure data access on enterprise systems.
Securing the mobile workforce is therefore the need of the hour. Mobile app development companies, especially those related to enterprise mobility need to take more precaution to secure their products as it also puts their reputation at risk.
The following are 4 ways to increase your mobile apps security knowledge that will help you create, deploy and execute secure mobile applications.
1. Study More about the Common Application Attacks
There are many reports and research about mobile security landscape and learn more about the most vulnerable areas of enterprises with respect to mobile security. Learn about efforts organizations put in their mobile security development. Where are they lacking? What about the mobile security budgets? How to prioritize mobile security investments? Studying the mobile security landscape will help you find answers to these questions and more.
You can also read popular blog posts on mobile security like this one by Paul Ionescu, the leader of Ethical Hacking Team at IBM where he discusses the Top 10 vulnerabilities faced by the OWASP or Open Web Application Security Project.
There are several similar materials available on the Internet. For example, there are webinars to help you deal with mobile application security. The goal is to learn about as many security issues and vulnerabilities in detail as possible and then focus on those that concern your organization.
2. Secure Your Code to Build a Secure Mobile Application
Typically, mobile malware taps bugs in your mobile application design and coding. A 2013 research by Kindsight reveals that over 11.6 million mobile devices have been infected by malicious code and the number is growing fast.
This issue is so serious that hackers can easily obtain a public copy of your apps and reverse engineer it even before you could exploit the vulnerability. As already pointed out by the Arnax research, many popular apps now contain malicious code. They are being termed as “rogue apps” and hackers are posting them on various third-party app stores, tricking unsuspecting users and luring them to install these apps with malicious code. As a result, many innocent mobile users are compromising their devices and their data unknowingly.
To fight with such alarming issues, mobile app development companies need to provide robust tools to their developers so that they can detect security vulnerabilities and take necessary actions to protect their code and applications against any kind of tampering and reverse engineering. Even consumer apps need to undergo such hardening process to ensure the security of your users’ device and data.
3. Review Case Studies from Large Organizations
Reviewing case studies will help you understand how large organizations are improving their security protections. Better yet, focus on case studies that deals with both Web and mobile apps developers and how they detect and fix vulnerabilities in their software development life cycle to make their apps secure.
Let’s take the example of this IBM Client to see how they improved their app security protection. This case study explains the way IBM’s software Security AppScan allows app developers to scan code to detect malicious code and ad other vulnerabilities easily and effortlessly. Soon after it is logged, IBM Security AppScan will detect and display the vulnerable code so that developers can take required actions. Using this software this particular client tested their app earlier in their software development life cycle to give their developers, executives and customers a peace of mind.
This IBM client also tested their application frequently to detect and fix vulnerabilities, arising during the latter part of their product development phase. The whole approach helped the organization to reduce their security protection costs by up to 95 times.
In addition, you can read other resources that help you to learn how to detect and remediate mobile app security attacks. IBM Application Security on Cloud, for example, helps you manage application security risk and at the same time allows you to prioritize time to market your new mobile app. Find tools that help you identify security issues in your app and provide detailed reports that point out the vulnerabilities as well as recommend remediation steps to fix the security issues.
4. Implement Mobile Phone Authentication
Multi-factor authentication or MFA is one of the best ways to secure your application. Basically, this method is used for computer access control by which users can pass by providing authentication factors such as passwords, biometrics or something that only the user has and it is usually from more than one category. The same approach is used for mobile devices as well and is popularly known as mobile phone authentication.
For mobile devices, it is usually a two-factor authentication involving a password and the registered mobile device/number. This ensures the user’s legitimacy and creates a reliable and secure interaction between the device and the app.
This approach is especially beneficial for apps that store or have access to confidential and critical data such as personal documents, credit card details, and usernames and passwords for bank accounts etc. Learning and implementing mobile phone authentication is highly beneficial for app developers as users find following such processes relatively easier.
The user is send a PIN-code or OTP (one -time password) over SMS or voice, which he/she needs to put into the application for verification purposes. In turn, the app provides the owner of the phone number an access to the password so that he/she can log in and verify identity using the PIN-code or OTP. It therefore creates an authenticated association between the phone number, its user and the application.
You can implement various other additional measures as well to increase the app’s security. You can, for example, set expiration times for the PIN-code or OTP, preventing the hackers from auto generating enough combinations of the PIN-code or OTP. This is a great way to prevent unauthorized access to the application. You can even block virtual numbers like those of Skype from being used to verify user identity.
Moreover, mobile phone authentication can be carried out at various points such as during sign ups, when resetting passwords, changing account settings, at later log-ins, when any kind of unusual or suspicious transactional activity is observed, and/or when users login from different locations or new devices. Adding such additional security layers will make your application even more secure, and if done right it will also increase your users’ trust and loyalty towards your product and brand as a whole.
We now live in the age of mobility and BYOD. However, it is essential to secure the mobile app landscape from hackers and frauds to reduce the risk profile. Mobile app development companies need to increase their mobile application security knowledge and implement proper framework in order to safeguard critical user data from being hacked. This is the only way to reduce the risk that often comes with mobility. The goal is to mitigate risk while ensuring usability to enhance user satisfaction.