Application security was no more than an afterthought in software design until a few years back. Today, with the applications becoming more frequently accessible over networks, security has emerged as one of the major concerns to safeguard the applications from a wide range of threats. Users are apprehensive because unauthorised codes can be used to manipulate the applications for the purpose of stealing or modifying or even deleting sensitive data.
The usual suspects who handle Application Security – internal security team, external security consultants, quality assurance personnel, development teams & SaaS providers
Although the developers undertake several countermeasures ranging from prevention firewalls to spyware detection, encryption/decryption programs and biometric authentication systems, users in real time still fear hacking of apps. According to a survey conducted by Arxan Technologies, specialists in software security and mobile application protection, there is a huge difference between the perception of app developers regarding the level of security built into these apps and consumers’ beliefs about addressing application vulnerabilities.
Top challenges for App Builders & Developers: time to market, lack of scalable funding, lack of sufficient testing, fear of breaking the app when reworking it & silos between security and development
For instance, even when 83% of the surveyed app users feel that their applications are adequately secure, 90% of the tested applications were vulnerable to at least 2 of the OWASP Mobile Top 10 Risks.
Perception Regarding Application Security
The survey conducted across US, UK, Germany and Japan clearly indicates that there is huge discrepancy between the perception of application executives and what application users actually feel. The ratio was 268:815 (IT executives to app users) among the 1,083 individuals surveyed. IT executives covered under the survey had security oversight or insight into the mobile health and/or finance apps they produce and the consumers were using the mobile health or finance apps.
DevSecOps will trend in 2016, with Security increasingly integrating with DevOps to deliver secure applications, faster via continuous integration, testing, allowing allow organisations to find & fix vulnerabilities
Let us highlight some of these discrepancies:
- While 87% of the application executives felt that their mobile applications are adequately secure only 83% of the application users had the same thought.
- 46% of the application executives believe that the apps are likely to be hacked within the next six months while there is a 2% increase in the number of users who believe so (i.e. 48%).
Application Security- Real Time Findings
Apps approved by regulatory bodies as well as the topmost health and finance apps from US, UK, Germany, and Japan were tested for security vulnerabilities using tools from Mi3 and the results are not very encouraging. 90% of the tested mobile applications, including 84% of FDA-approved apps and 80% of apps formerly approved by the NHS were vulnerable to at least 2 OWASP mobile risks.
The reasons for this include lack of binary code protection as the current application codes can be easily modified or reverse-engineered and poor transport layer protection that could lead to data and identity theft. This is the reason why 80% of app users were ready to change providers if they get a similar app that was more secure. The onus also lies with the organisations as 50% of organisations have no budget allocated for mobile apps protection. As a result, it becomes easier for hackers to steal money, personal information and health records.
Dealing with Application Security Threats
Both application developers and users need to take certain pro-active measures for minimizing the threats to app security. For beginners, application developers need to set their security bar above the ‘approved’ level as apps approved by regulatory bodies like FDA or the NHS are equally susceptible to risks. It is important for the IT executives to address the OWASP Mobile Top 10 Risks which they might have been neglecting until now.
Addressing the security needs will not only make their apps more secure but also provide a competitive edge over the rivals whose apps might still be subject to vulnerabilities. Application users should ensure that they download apps only from the authorised sources and do not engage in jail-breaking or rooting their device. Here, transparency of app’s security is of utmost importance as the consumers need to know the possible risks that come attached with downloading a particular app.
Here are some quick tips for protecting mobile applications:
- Applications having high-risk profiles should be resistant to tampering and capable of defending themselves against run time threats.
- Cryptographic key protection and application hardening is recommended for mobile wallets and payment applications.
- Penetration tests conducted during mobile application development life cycle can go a long way in analysing the level of vulnerability of the application to reverse-engineering caused due to an unprotected binary code.
- App users should make it a practice to log out of mobile apps when they are not using one.
- Unsecured Wi-Fi networks should be avoided for app download and it is best to enable a passcode, or PIN on the device if the application is to be used on mobile phone.
- Updating the operating systems and upgrading to newer versions of apps is advisable for enhanced security.
There was a time when applications were securely placed behind data centers but now these apps are out in the open. So, security needs to follow an app irrespective of its location. The proliferation of recent mobile attacks and the findings of this survey are a wake-up call for the app developers and security practitioners to shift their focus towards application protection.
Cases of successful attacks directed at the application layer have increased manifolds in the past few years, which are aggravated by the fact that many organisations simply fail to secure their applications because of resource, budget and time constraints. Rush to push the application to market exacerbates the security risks. There is a general misconception that embarking on an application security program requires extra amount of money and time for results that are still not effective.
Moreover, there is still a segment of app users, basically the ones who use health & financial apps on their mobile device, that is unaware of the vulnerabilities and believe that a phone’s built-in security is sufficient to provide protection against threats from downloaded content. This perception needs to be changed and security needs to be a mixture of best practices with minimal requirements, so as to best serve the users. Companies can easily market the strength of security in their applications for attracting new customers and retaining the existing ones because in the near future, security is likely to be a major shaping factor in making the usage and purchase decisions.