Cybercriminals are hot on the money trail – and the path is leading straight to unprotected mobile applications in the fintech and banking industries. According to Verizon’s Mobile Security Index 2020 Report, 39 percent of organizations surveyed experienced a security compromise involving a mobile security device in 2020, up from 33 percent in 2019 and 27 percent the previous year.
With traditional perimeter security ineffective in keeping mobile apps used outside the firewall safe, organizations are turning to solutions that protect the app, rather than the network. These app security solutions can be added to mobile apps to safeguard the data stored in mobile devices and to comply with consumer data privacy regulations such as GDPR, NY Shield, or CCPA. They also prevent breached applications from becoming a vector to attack resources within the broader corporate infrastructure.
App security solutions work by precluding attackers from reverse engineering mobile apps to find vulnerabilities in the code and exploit them to steal data or access the wider corporate network. They provide protection at three levels:
- Code obfuscation prevents static analysis of how the code is structured.
- Environmental checks ensure code is running within a secure and trustworthy environment, blocking attempts to dynamically analyze the way the code operates.
- Anti-tamper technology prevents attackers from modifying code within the app to perform malicious activities.
While app security clearly fills an important security gap, your organization may wonder how to choose the right vendor. If you’re still on the fence about building app security in-house our outsourcing, our new eBook offers pro/con lists, compliance checklists, and considerations:
If you’re ready to vet vendors and get the process started, adding these ten questions to your app security RFPs will ensure that your solution delivers the highest level of security in a timely manner with minimal impact on your application development processes.
1. Do you provide app security for Android and iOS applications to keep them from being reverse engineered and modified?
If an application’s code is not properly hardened, hackers can decompile the application, find its weaknesses, and create an attack. Proper code protection prevents a mobile app from becoming an attack vector.
A handful of specific techniques protect applications from reverse engineering and modification, like environmental checks, anti-tamper technology, and obfuscation. It is always best if a vendor’s solution implements multiple methods to protect against these threats.
2. Do you support new versions of Android and iOS prior to releases being made publicly available? Please state your release cadence in the notes.
If a new version of Android or iOS becomes available to end users before the application protection software has been modified to address it, the protection will not work with the new version of the operating system. That means that when Apple or Google come out with an upgrade, a large percentage of your user base will get cut off.
You need to proactively ensure that the protection works with each new version before users get the OS updates. Stay up to date by looking for a vendor that provides frequent releases that accommodate these developments. Ideally, look for a vendor that provides updates no less than quarterly.
3. Is your protection available as on-premise tools that we can run within our development environment?
Many organizations feel more secure having the tools they use to deliver app protection running on-premise A solution that provides on-premise tools enables these organizations to maintain control over their application security tools so no applications or data pass out of their environment.
4. Is your protection available as a cloud service that we can utilize?
While some organizations prefer the control of an on-premise implementation, others may demand the advantages of a cloud solution. Cloud solutions enable more rapid implementation, guarantee that you always have the latest version without the need to upgrade, and run on the vendor’s hardware rather than requiring you to purchase, implement, configure, manage, maintain, and upgrade software, hardware, and an in-house data center.
A vendor that provides both an on-premise and a cloud–based solution allows you to choose the implementation model that works best for your business; and to swap between them as your business evolves.
5. What are the core features or innovations that distinguish your product from your competitors?
Discovering a vendor’s differentiators should be key when it comes to application security RFPs. Clearly for an in-app protection product, the level of security the product can provide is paramount. Equally important, that security should be easy to apply. Ease of use enables your development team to spend less time on security and more on developing applications. Such a tool will enable better security as well as a faster, smoother product development process.
6. Can you apply protection with no code changes required? Are there any exceptions to this?
Many in-app security solutions put constraints on the way application developers perform their coding to take advantage of the solution. A no–code solution can not only simplify use, but it can also give developers the flexibility to work the way they want to. Such flexibility enables developers to protect apps and build the capabilities they need while keeping them happy and on board with the chosen solution.
Of course, most environments are not entirely zero code. There are always exceptions. For example, your developers may want to create a customized response to a particular threat rather than accept the solution’s default reaction. The ideal solution will give developers the option to create customized responses, as necessary.
7. Do you provide training in the use of your solution?
Some application protection software vendors don’t include training with their products. They simply sell you a product, then provide a link to download the manual. While such an approach can be less expensive up front, it can lead to extra, unexpected costs down the road since it may take you some time to learn how to use the software. Alternatively, you may find yourself paying more for training. A vendor that includes training in the cost of the software and gives you everything you need to get
8. Please provide details of the technical support you provide.
Technical support should be high quality and available when and where you need it. Ideally, the vendor should provide 24/7/365 worldwide customer support, provide agents with deep experience in app protection that can streamline support for implementation, integration, testing and maintenance, as well as high customer satisfaction scores. Ask whether the vendor has awards for excellence in customer service to prove their claims.
9. Has your protection been used in security certified solutions or evaluated by independent security labs? If yes, please give details.
Since the nature of application security is low-level and complex, it can often be difficult to validate a vendor’s claims about the strength and robustness of their solutions. This means that customers in need of app security may often end up simply choosing the vendor who can tell the best story.
Fortunately, outside evaluators with a high level of expertise provide objective evaluations you can use to compare security offered by different vendors. Organizations like Mastercard and Visa certify mobile payment apps that operate on their networks. This requires extremely high levels of security that must be certified by approved independent labs.
Note that these organizations cannot certify that the tool itself is secure. They verify the security of the application as it uses the tool. So, it’s important to find out whether the vendor has multiple customers whose applications (that are secured using their tool) have been certified by one of these organizations. A vendor with no record of going through and passing these independent security reviews should raise alarms.
10. How much time does it take to deploy the system?
Time is money. If your developers spend too many hours integrating security protections into your product, it’s time not spent creating new features that add value for your customers. So, ask your vendor how long it typically takes to add the solution to your application. We recommend that the solution take just one day per application.
Asking “How Secure?” Is Not Enough
As can be seen, “how secure?” is only the start of the questions you need answered when selecting an in-app protection solution. A vendor’s answers to these RFP questions should give you a better, more comprehensive understanding about their solutions — including their capabilities, update cadence, differentiators, implementation, support, training, and certification. This is the first step in setting expectations and ensuring that your working relationship with your vendor will succeed. Unsure how to chart the path forward? Still deciding between building app security in-house and outsourcing. Read our eBook, “The Essential Planning Guide for Securing Financial Applications” for pro/con lists, considerations, and compliance checklists.
If you’re wondering how Verimatrix answers these questions about our Application Shielding solutions, get in touch today for a demo and book a consultation with a security specialist.