Mobile application security refers to the software, practices and methods designed to keep applications on Android, iOS and Windows safe from malicious agents. Mobile application security (or app security for short) covers apps on both smartphones and tablets. Apps are central to the function of many large companies (including banks and financial institutions); they store highly sensitive and valuable data.
The importance of mobile app security
The ability to protect an app from intrusion is crucial to the function and reputation of many businesses. A breach could put entire companies at risk; banks present their apps as extensions of their company, and people expect them to be as secure as a bank vault. Digital users spend over half of their time on technology using apps, so it is essential that the risks to users are as well-documented and understood as resources will allow.
Adequate security requires an understanding of what unique risks are present for mobile apps as opposed to regular desktop or laptop use. There needs to be a consideration both of the app itself and all the places that the app can exist (i.e. different operating systems and devices.
An example is the ‘Anubis banking trojan’, which enters the user’s device by downloading compromised apps – some of which are available in the Android app store. Once a device is infected, the virus sends and receives SMS messages, scans contact lists, shares device locations and steals personal files. Cybersecurity researchers discovered a similar banking trojan that was successfully manipulating the apps of an incredible 24 banks in Spain.
What are the unique risks that mobile applications face?
- Authentication: Poor authentication procedures can allow hackers or malicious apps permission to access files and perform actions through an app on a device.
- Encryption: Data encryption allows information to travel from one place to another without being seen or intercepted. Inferior encryption technology can leave data visible to malicious apps or criminals. Individuals and companies tend to be less careful about what they say when they know that the message is encrypted. With sub-par encryption, individuals or companies could share highly sensitive information that they believe is safe.
- Other apps: Storing or leaking data that could be read by malicious apps on a user’s phone. Just as with a computer virus, apps can exist as viruses on someone’s device and seek to pick up information that is left unguarded. Alongside other malicious apps, mobile applications are vulnerable to individuals on the same wifi network as the victim.
What are malicious agents looking for?
In most cases (80%) malicious agents are looking for credit or debit card information or personally identifiable information (PII). Hackers often lift PII for wholesale identity theft. Malicious agents also obtain log-in information to gain access to your device or personal accounts. Some hackers also place bugs or bots on people’s devices, giving them access to secure business networks.
When asked, only 33% of companies conducted penetration tests to see if their infrastructure was at risk. That is worrying when we consider the amount of personal information that apps store and have access to.
Mobile App security best practices
Consulting an expert is the best way to make sure that your business isn’t left vulnerable to mobile application security risks. There are mobile application security specialists that can not only advise your business but also put protection software in place to keep your business as safe as possible.
Educate your team about the risks that mobile apps can present. Teach them to identify when an attack is underway and how to recognise phishing attempts. Have a well-informed and up-to-date response for when attacks occur.
You should also only download apps from trusted sources. It is good practice to have a list of approved websites where team members are permitted to download apps. Remind them that even apps from legitimate websites can harbour viruses, so have a plan in place for if something unexpected happens.
Remind app users not to leave a session on while they aren’t using. It is better to sign out and have to sign back in next time, especially for apps with highly-sensitive information.
Perhaps even more than desktop websites, mobile applications are becoming part of the fabric of modern society. We use them to bank, shop and organise our lives. The innovation improves our lives but has a drawback. They harbour lots of information about our financial and commercial lives that should never get into the wrong hands. Sometimes it does, and companies and individuals need to be more aware than ever about how important mobile application security is. Some companies trade exclusively from an app, and if it’s compromised, it could threaten the daily operations of their business as well as the entire reputation of the company.