The last few years have brought an onslaught of data breaches by way of mobile apps. According to Verizon's Mobile Security Index, one in three organizations suffered a data breach due to mobile devices in 2019 alone. As the world becomes more connected and modern business is conducted increasingly through mobile apps, security is critical. Even the most trusted industries are at risk, and every mobile device is an attack surface.
Financial institutions, healthcare organizations, manufacturers and the entertainment industry have all benefited from the ease of use and enhanced customer satisfaction that mobility allows. However, these trusted sectors have also seen the costly revenue and reputational damage that occurs as the result of vulnerabilities and inadequate security measures.
Take A Holistic Approach to Mobile App Security
According to Gartner’s Market Guide for In-App Protection, securing applications that run within untrusted environments is crucial as mobile, IoT and modern web applications migrate software logic to the client side.
Conducting business, collecting consumer data, and accepting payment in an untrusted environment leaves you wide open to attack and there are several areas that must be addressed in order to close security gaps. Having the right security processes in place is as important as having the right tools. Security always needs to be tackled from a holistic perspective - there’s no point locking the door but leaving the window open.
Implement Security Awareness and Processes
Rogue employees and insider threats can bring massive damage to a company, and in many instances these breaches can be avoided if the right processes are in place. In 2019, Capital One, Trend Micro, and Desjardins Group all experienced data breaches as the result of a rogue employee. Preventive measures to mitigate these situations include constant monitoring, security awareness training, and severe access restrictions.
Viewing security as merely a back-end component is a costly mistake that comes with dire consequences. The right approach is one that makes security business-as-usual by spreading responsibility across your entire organization rather than letting your reputation, revenue, and data protection fall squarely on app developers’ shoulders. This means creating security awareness programs that keep staff vigilant and train them to look out for specific threats. A proactive approach is key to mitigating risks and avoiding the consequences of a data breach. Not to mention, proactive security measures cost much less in the long run than reactive damage control.
Use Strong Authentication
Some of the biggest security breaches happen as the result of weak authentication. According to Verizon’s 2019 Data Breach Investigations Report, 80% of hacking related breaches involved compromised and weak credentials. Requiring strong alphanumeric passwords is good but requiring more than one personal identifier is better. Multi-factor, strong authentication requirements add a barrier to entry and make it more difficult for hackers to get into an app. However, this can also make it more difficult for genuine end-users to enjoy their experience.
The best practice when it comes to strong authentication is to make it as difficult as possible for criminals, but as easy as possible for consumers. This means balancing convenience and security. Since passwords are often the weakest vulnerability and a costly driver of support calls, many organizations are opting to dissolve the risk entirely by shifting to passwordless authentication.
Employ Mobile Payment Tokenization & Secure Data Storage
Card-on-file systems are big databases that merchants keep in order to save their customers from the frustration of having to re-enter card details during every purchase. However, these databases pose an inherent risk. Criminals love going after these honey pots – perhaps the most notable incident was Target’s infamous data breach in 2013. Back then, the breach was unprecedented but over time the Target breach proved to be the first of many that exposed massive weaknesses in data security storage.
As time has moved on, these database breaches became commonplace. In order to secure data storage, it is now recommended to keep “tokens” rather than card numbers. Tokenization services from the main Payment Card schemes store unusable tokens that are representations of customers' cards. Tokens are pseudo card numbers – they look and feel like card numbers – but reduce the risk of fraud by having certain rules applied to them.
This means that tokens can only be used for a limited set of transactions (in this case, with the merchant storing them). Unlike a credit card number, if a criminal gets his hands on a token, it can’t be used for purchases. Tokenization means that even if a merchant's servers are breached, there is no risk of exposing consumers’ card numbers.
Protect Your Code and Secure APIs
If an app’s code is not properly hardened, hackers can decompile the application, find its weaknesses, and create an attack. Proper code protection prevents the mobile app from becoming an attack vector. An attacker’s first order of business when it comes to hacking a mobile app is to spend time learning and understanding how an API communicates with an organization’s backend servers. Without code protection and API security, an attacker can reverse engineer a mobile app, which means they can craft their own messages to send to the backend servers. These messages are the heart of a data breach.
Code protection and secure APIs keep the entry point to backend servers secure and keep consumers’ all-important personal data safe.
The Right Approaches to Avoid a Mobile App Security Breach
With the right security approaches, insider threats and backend vulnerabilities are minimized. However, once a breach occurs, the consequences are impossible to escape. The right suite of security solutions for application protection should offer a holistic, end-to-end approach that will keep your app secure on all fronts through easily accessible technology.
Verizon: Mobile Security Index 2020