Mobile App Security is everyone’s business. End-users don’t want any of their personal information compromised and want to make sure that their mobile banking and commerce transactions are protected from fraud and theft. And, companies want to make sure that all their proprietary and company confidential information “shared in and stored on” the apps their employees use is safe from hackers, thieves and corporate spies.
If this is the goal, then we still have a long way to go. Verizon just published its long awaited 2020 Mobile Security Index (MSI). The most telling conclusion for me in this report is:
The Verizon Mobile Security Index concludes that by waiting until their fingers are burned (and suffer a mobile breach), companies are putting their customer and business data at risk.
Here are some of the key findings in the MSI:
- 39% of companies suffered a security compromise. And, companies are twice as likely to have been compromised if they sacrificed security.
- 67% of companies that suffered a mobile-related compromise said that the impact was major and of those 55% suffered lasting repercussions.
- 43% of companies that had suffered a compromise had also significantly increased their mobile security spend. That number fell to 15% for those that hadn’t been compromised.
- 87% of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty.
- 81% said that a company’s data privacy record will be a key brand differentiator in the future.
- 29% said they had suffered a regulatory penalty as a result of a mobile-related security compromise.
- 67% said that increased regulation (GDPR for example) had driven them to spend more on security as a whole.
- 59% said they suffered business downtime because of a mobile breach.
- 56% said they lost data.
- 37% said they suffered damage of reputation because of a mobile-related security compromise.
Public App Store Apps Are Vulnerable
The Verizon Mobile Security Index found that even apps downloaded from official stores can be compromised or introduce vulnerabilities due to poor coding practices.
So contrary to what many people believe, the apps you download from the Apple App Store and Google Play are vulnerable. Both Google and Apple have a set of best practices around mobile app security, but it is up to mobile app developers to implement these, and as shown in the MSI, many don’t implement these. The MSI goes into detail on why that is.
It says that in the rush to get updates out, even apps from the most reputable companies can be deployed with vulnerabilities. The report found that 75% of organizations said they were concerned about this threat, and 23% of those didn’t feel prepared for it.
And then there is the risk of malware. Many users take advantage of built-in browser features that save your passwords. But now, malicious malware apps are being created that can interact with your browser and exploit the way this feature has been coded. Originally, these apps were created to compromise cybercurrency wallets, but attackers are now using them to steal user credentials. This could enable them to get into both personal accounts—like banking and shopping accounts—and corporate resources.
The MSI found that 4.5% of Android devices had known malware. That might not sound like much, but it means that if your organization has just 15 devices, then there’s a 50% chance that at least one of them is infected. And if you have 100 devices, that chance goes up to 99%. And one device can be enough to compromise your entire organization.
How Appdome solves these vulnerabilities: The Appdome Mobile Security Suite can remediate any poor coding practice and Appdome for Check Point SandBlast App Protect protects your mobile apps from Malware on the actual device.
Man-in-the-Middle Attacks Are Prevalent
The Mobile Security Index found that 7% of protected devices detected a Man-in-the-Middle (MitM) attack in the past year.
Fair to say that MitM attacks are one of the most dangerous network threats out there. The MSI states “MitM attacks are often done through rogue access points, which take advantage of familiar and trusted public Wi-Fi names (SSIDs). Users may see the name of a legitimate company or brand and connect to it without a second thought. While some rogue hotspot names are obviously misspelled (e.g., Starbuckz), many look perfectly legitimate. And users might have the access point already stored in their device, causing it to connect automatically. That might sound like something out of a spy movie, but it’s more prevalent than SQL injection (SQLi)-type attacks, and almost as common as phishing—but it gets far less press; maybe it needs a better agent?”
Here are some of the key stats around MitM attacks from the report.
- 72% of organizations said they’re concerned about MitM attacks. Of those, 23% don’t feel prepared.
- 20% of organizations that suffered a mobile compromise said that a rogue/insecure Wi-Fi hotspot was involved.
- 2 to 3 insecure hotspots per day. That is the average number of insecure Wi-Fi hotspots a mobile device connects to per day. The most common locations are retail, hospitality and transportation hubs, including airports.
- 42% of organizations said that they prohibit employees from using public Wi-Fi to perform work-related tasks.
- 55% of those who know that public Wi-Fi is prohibited use it anyway for the sake of convenience. And ironically, that includes many who are responsible for managing the security of mobile devices.
The FBI advice is clear: “Don’t allow your phone, computer, tablet or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera.”
The Verizon Mobile Security Index concludes that using a system that blocks access to insecure or untrusted networks automatically, you don’t have to rely on users always making the right decision.
How Appdome solves MitM attacks: By adding the Appdome Mobile Security Suite to your mobile apps, you can secure the connection between the app and backend servers. Read more on how Appdome makes MiTM attacks impossible.
Mobile App Security for Financial Services
Customers put a lot of trust in their financial institutions, and that means these organizations are under pressure to stay secure. The MSI found that the Financial Services industry was the second most likely to have suffered a mobile compromise, behind information and media.
Other interesting stats from the MSI report include:
- 95% of finserv organizations said their customers expect a reliable service, and that any less could have a lasting impact on their reputation.
- 87% said that cybercriminals see their sector as a more lucrative target than other industries.
- Even so, 48% had sacrificed security in the name of expediency. And cutting corners has taken its toll.
The Verizon Mobile Security Index concludes that since financial services companies think that a good cybersecurity reputation is key for attracting customers, they could benefit greatly from reassessing and strengthening their mobile security.
Today Appdome secures the mobile apps of some of the world’s largest banks and most innovative new FinTech challengers. The Appdome Mobile Security Suite makes protecting and securing FinTech apps fast and easy.
Appdome Is the Only Solution That Offers Instant and Complete Protection
Appdome recently launched the MobileTRUST Alliance, the world’s only cybersecurity alliance to find and fix mobile app vulnerabilities, instantly, without code or coding.
For example, together with our MobileTRUST Alliance partner ImmuniWeb, we have done hundreds of vulnerability scans of mobile apps currently available on Google Play and the Apple App Store. Every single app we test on ImmuniWeb, comes back with several OWASP Mobile Top 10 vulnerabilities and many coding deficiencies around software composition (use of unencrypted 3rd party SDKs and libraries) and insecure external communications. And every time we build a new, protected, version of that app on Appdome, the new ImmuniWeb test proves that Appdome instantly fixes all the vulnerabilities and coding deficiencies. And we achieve this result without any assistance from the app maker. Both ImmuniWeb and Appdome use AI to do the work for you.
Here are the summary results after testing a mobile e-commerce app on ImmuniWeb.
And here are the test results of the same e-commerce app after implementing Appdome’s Mobile App Security Suite. The results speak for themselves.
In under 20 minutes and without dependencies, I found and fixed 7 OWASP Mobile Top 10 vulnerabilities and over 150 coding deficiencies.