The State of Mobile App Security 2021

The ever-increasing popularity and use of smartphones dwarfs that of more conventional computing devices, such as desktop, laptops, tablets and so forth. Here are some numbers to put things in perspective: according to Statista the total number of mobile devices should reach 17.71B by 2024, up from just over 14B such devices in use in 2020. The same source puts the size of the installed base of PCs worldwide at 1.33B in 2019, with a slight decline over the period from 2013-2019. Interestingly, Microsoft recently claimed 1.3B “active Windows 10 users” which tells us the overwhelming majority of PC users seem to favor their operating system.

Putting Mobile Devices Into Proportion

The real impact of this comparison, of course, is that mobile devices outnumber PCs by over an order of magnitude. In addition, that balance continues to swing to favor mobile devices ever more firmly. Mobile devices run mobile apps. Indeed this simple observation makes mobile app security crucial, simply because most of the human race (mobile devices currently outnumber humans by almost 2 to 1) uses such devices and the apps to go with them to communicate, access the Internet, and get on with the business of living.

The Continuing Sad State of Mobile App Security

Even as mobile apps keep proliferating, and more and more users rely on them to learn, work and play, the state of mobile app security can only be described as deplorable. On the one hand, App Annie reported that mobile app usage grew 40% year-over-year in Q2 2020 as compared to the preceding year. On the other hand, security firm Synopsys entitled its most recent survey Peril in a Pandemic: The State of Mobile App Security. The company found that significant causes for concern about the security in mobile apps were both abundant and alarming, primarily owing to three major factors:

• Commonly used apps that displayed well-known open source vulnerabilities
• Unsecured and unencrypted sensitive data in mobile application code that present potential points for information leakage and unwanted access and disclosures
• Frequent assignment of higher levels of access and permission to mobile apps than the “principle of least privilege” (PLP) would allow

All of these unsafe programming or administrative practices leave mobile apps overly open to attack and potential compromise. The report analyzed over 3,000 mobile apps and reported some scary statistics – namely:

• 63% of apps included known security vulnerabilities, with an average of 39 vulnerabilities per app, of which 44% were rated “high risk,” 94% of which had publicly documented fixes, and 73% of which has been reported two or more years ago.
• Thousands of sensitive data items were exposed in the application code, including over 2K passwords, tokens and keys, over 10K email addresses, and nearly 400K IP addresses and URLs.
• Use of overly powerful device permissions showed just over 33K instances of normal permissions, with just over 15K of sensitive permissions, and just over 10K of permissions “not intended for third-party use.”

What Can (and Should) Mobile Developers Be Doing?

Good question! Each of these major telling points suggests necessary coping strategies. But, first and foremost, mobile app developers need to think about adopting a DevSecOps approach, which integrates and incorporates security concerns, best practices, and proactive uses of threat intelligence at all phases of the software development lifecycle, from design through maintenance. This shift from DevOps to DevSecOps means bringing developers into the security circle, and closer ties between the organization’s development and security teams. Ultimately, developers should understand (and implement) best secure programming practices, and learn how to deal with (and hopefully automate) security remediation and mitigation as part of their DevOps processes (which is why the term expands to become DevSecOps).

More pointedly, organizations also need to build the following practices and procedures into their code development and test processes:

• All code should be subjected to security scans driven by current threat intelligence as part of the normal QA process. This applies to development only (forward-looking) code bases, as well as production code bases presently in maintenance mode.
• Any and all open source code should be likewise subject to ongoing security scan and review, likewise driven by current threat intelligence and so forth. This may require different tools, but should be scheduled and completed as part of normal release handling (especially when and as code transitions from development to production status).
• Security scans for code should detect and document data items it finds in that code and flag all instances of unencrypted data with security leakage or unwanted disclosure implications. Organizations should adopt encryption or tokenization tools and techniques to avoid unwanted disclosures.
• PLP should be defined for mobile apps, and the services and process they call and use. Assignment of privilege should be reviewed on a regular basis, to make sure that permissions and privileges granted in (and to) mobile apps provide only what’s needed for the code to work, and nothing more. Here again, such review is particularly important when code transitions from development to production status (and in maintenance mode as well).

Organizations that follow these principles and practices, and use capable tools to implement and enforce them, can be sure that their mobile apps will meet a higher standard of security. Look to Kiuwan.com to learn more about its code security scanning tools, open source code risk management capabilities, and its code analysis facilities.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.