The United States is still hoping to fully reopen, but COVID-19 is more prevalent than ever, with the nation and many states reporting record daily infection rates. Even though employment has recovered somewhat, the country is still facing a more than 10% unemployment rate, and while many restaurants, stores and other physical businesses have reopened, people are not yet returning to them in the same numbers as before the pandemic.
The pandemic will undoubtedly transform many aspects of our country, and some of these changes are already apparent. Organizations that had depended on a physical location to interact with and draw customers have had to change their business models to emphasize contactless or near contactless transactions, where goods are delivered or picked up curbside. Contactless transactions typically involve online communications.
According to the Pew Research Center, 74% of households own a computer and 84% have a smartphone. But when it comes to usage, mobile dominates. More than half of worldwide Internet traffic last year came from mobile devices, and U.S. consumers spent about 40% more time using their smartphones than they did their desktops and laptops.
The long-term trend of growing mobile usage combined with the pressure for contactless transactions due to the pandemic has made creating and enhancing mobile apps not just a nice marketing tool for businesses, but a necessary task for survival. To compete with other businesses and draw formerly casual mobile users to their apps, development teams are under more pressure than ever to deliver new and updated apps even more quickly than before.
Features trump security … until they don’t
This does not bode well for mobile app security, especially since the situation was not very good prior to COVID-19. According to the Verizon Mobile Security Index 2020, 43% of app developers said they knew they were cutting corners on security to “get the job done,” and that survey was conducted well before the pandemic arrived.
Unless they are very technologically savvy, consumers have no real way to assess the security of the mobile apps they use, so they make decisions about which apps to deploy based on features, functionality and ease of use. Naturally, that’s where developers focus their attention. What’s more, implementing security is expensive and time consuming, potentially breaking the development budget and delaying delivery schedules. Even if development teams are committed to implementing security, iOS and Android security specialists are hard to find and in high demand.
But while focusing on features at the expense of security may be a good strategy for short-term adoption, the potential long-term consequences can be devastating for consumers and developers alike. Cybercriminals are just as aware as developers are about the growing importance of mobile apps, and they are developing increasingly sophisticated attacks targeting them.
A good example is the EventBot malware that appeared in April. This Android-based trojan looks and feels like Adobe Flash or Microsoft Word, but its real purpose is to steal unprotected data in banking, bitcoin and other financial apps. The trojan is sophisticated enough to intercept two-factor authentication codes sent via SMS so it can use them to take over accounts.
It’s a perfect example of the importance of good security. If app developers encrypt all data stored on the device, they won’t be in danger of theft from trojans like EventBot. Likewise, it illustrates why it’s critical to obfuscate and shield apps from reverse engineering. Not only can malicious actors create trojans from popular brands’ apps, they can also make buggy, badly performing fake apps that will give the genuine app a bad reputation.
Additionally, because the pandemic is causing such a large increase in app usage and adoption, security flaws that had previously gone unnoticed may start causing problems for users.
Zoom, for example, saw millions of new users sign up essentially overnight after they were forced to work from home due to lockdown orders. This rush of new users exposed security flaws that hackers used to “zoom bomb” meetings. Zoom took quick action to resolve the issues, but it had to endure significant damage to its reputation.
Solutions to the security development challenge
If your team plans to implement security into mobile apps on its own, first make sure you have the skills required to do so. Android and iOS differ significantly, and a security expert in one OS isn’t necessarily qualified to implement security for the other.
Assuming you have developers qualified to implement security, the next step is to plan what, specifically, your team will focus on to harden your apps’ security. It’s not a simple question — after all, a hacker only has to find a single vulnerability to exploit, and there’s an enormous number of possible weaknesses. But a good place to start is to ensure each app is protected against the The Open Web Application Security Project (OWASP) Mobile Top Ten vulnerabilities, a list of the most common exploits cybercriminals use.
Other development teams may decide to integrate security software development kits (SDKs) into their apps, which is a more efficient option than manual security implementation and can be done without having to hire security specialists. That said, it’s critical to thoroughly vet SDKs before integration. Not only are rogue SDKs a serious problem in the mobile app industry, but SDKs, themselves, may contain vulnerabilities.
Organizations can also leverage AI to automate security for mobile apps. It’s fast, can secure an app without any coding, and, compared to manual coding, is inexpensive as well. But, just as you must vet SDKs, conduct thorough due diligence to ensure that the AI platform provides comprehensive security and does not, itself, introduce vulnerabilities.
Mobile apps have never been more important to businesses, and cybercriminals are responding with more advanced, targeted attacks. Developers cannot afford to deliver full-featured apps that lack proper security — in the long run, the potential damage to customers and an enterprise itself is far too great a risk. So, as you race to provide an engaging, intuitive app for customers, pay as much attention to their safety as their experience. It’s no longer necessary to implement security manually, so there’s no excuse for putting customers at risk with a vulnerable app.