In shadows cast, where secrets hide unseen,
Unprotected apps, the ghosts of the machine,
Through hidden realms, I wander undetected,
A spectral hacker, with powers resurrected.

Mobile apps have become an indispensable part of business-to-consumer and even business-to-business communications. From banking transactions and service requests to news updates and entertainment, these apps have become fundamental to commerce. However, there’s an ever-growing issue that often goes unaddressed: a lack of adequate mobile app security. 

That’s especially true when compared to the rigorous defenses that other parts of business enjoy. And it often stems from what a business cannot or does not seek to monitor in the first place. That’s important, most notably, because the impact of an undiscovered vulnerability multiplies with the number of endpoint deployments. 

Unmonitored mobile app instances and their unaddressed security vulnerabilities have become ghosts in the enterprise machine; hackers often bypass defenses and lurk unseen within the enterprise offering the app.

For example, when a mobile app is compromised or its connection to the backend is breached, significant problems can arise. 

Imagine the consequences for a bank whose mobile app is legitimately downloaded by criminals who have decided to create a normal account only to use it for nefarious analysis purposes. They’re seeking to learn how the app and its code work to ultimately breach the bank. Or consider a scenario where an industrial control app is tampered with, leading to potentially dangerous consequences in the real world. 

It’s clear that the stakes are high, and businesses need to address this vulnerability. 

What do CISOs think about mobile app security?

Are mobile app security blind spots prevalent? Unfortunately, they are. 

Verimatrix recently sponsored research by ISMG to survey CISOs across the globe and determine where mobile app security fits into their attack surface purview. The result?

An infographic with mobile app security statistics

Do these results surprise you?

Unclear roles and inconsistent assumptions can create mobile app security blind spots within organizations. When responsibility for app security is ambiguous between developers, IT, and specialized teams, gaps may emerge where no one fully owns mitigating risks. 

Developers often assume apps don’t need security added—that their exemplary coding practices are good enough—while corporate security presumes development has already built app security into the CI/CD process. Without clarity on ownership, security is often overlooked.

Additionally, organizations can make assumptions that their own mobile app security is robust compared to third-party apps, revealing a bias toward homegrown DevAppSec solutions. 

However, without validating these assumptions, there is risk. 

Even companies that add security to apps and pen-test them often encounter problems, as the app might be secure one day but unsecure the next due to hidden vulnerabilities built into the supply chain of the code. 

Recognizing there are strong reasons mobile app security has not been fully adopted or only secured once with no ongoing app monitoring is sort of an admission that blind spots likely exist and more effort is needed to improve in this area.

The challenge of detecting compromised actions in mobile apps

So how do companies know when or even if these compromised actions take place? They need to have visibility into certain actions taken by each device that uses the mobile app. 

If actions are uncommon or a series of actions create some sort of anomaly, there’s likely to be an issue. Are devices from countries not likely to genuinely use an app attempting transactions? Are there signs of reverse engineering underway? A mobile app’s owner must know. Sadly, that’s often not the case.

It’s truly troublesome, as it’s clear that mobile apps have caught the attention of cybercriminals seeking alternative avenues to breach enterprise security. Many mobile app developers, regardless of their size or prominence, fail to prioritize the visibility that’s needed to determine if bad actors are toying with their app. This neglect leaves them highly vulnerable, with numerous blind spots that attackers can exploit.

How to ensure better mobile app security

Blind spots can manifest in various forms, including weak authentication mechanisms, insecure data storage and transmission, and inadequate third-party integrations. These blind spots can be exploited by cybercriminals to gain unauthorized access to sensitive user information or disrupt app functionality. Mobile app developers must recognize and address these blind spots to protect users and maintain their trust. 

There are quite a few approaches that developers can take to ensure mobile app security:

• Risk assessment and threat modeling

To find and mitigate blind spots, developers must conduct thorough risk assessments and threat modeling exercises. These practices involve analyzing potential risks and vulnerabilities specific to the mobile app, evaluating their impact, and implementing proper security measures. 

By proactively considering potential blind spots, developers can minimize the attack surface and enhance the overall security posture of their applications.

• Secure practices of coding, release, and maintenance

Developers must adhere to secure coding practices to minimize blind spots in their mobile apps. This includes following coding standards and using secure development frameworks. They need to control the supply chain and consistently update libraries and dependencies. 

By adopting secure coding and code maintenance, developers can reduce the likelihood of introducing vulnerabilities into their apps, reduce the time these vulnerabilities can be exploited, and increase resistance to potential attacks.

• Regular security testing and auditing

Comprehensive security testing and auditing are essential for finding blind spots and vulnerabilities within mobile apps. This includes techniques such as static and dynamic code analysis, penetration testing, and vulnerability scanning. 

Regular security assessments allow developers to proactively discover and address blind spots before they are exploited by malicious actors.

• Third-party integration assessment

Mobile apps often rely on third-party libraries, plugins, anomalies, and APIs to enhance functionality and streamline development. However, these integrations can introduce blind spots if not carefully evaluated beforehand. 

Developers should conduct thorough assessments of third-party components, ensuring they adhere to security best practices and have a solid record of prompt security updates.

• Continuous monitoring and response

Mobile app security is an ongoing process that requires continuous monitoring and response. Developers should implement mechanisms to check app usage, detect anomalies, and respond immediately to potential security incidents. This includes monitoring user feedback, tracking emerging threats, and promptly patching vulnerabilities through regular updates.

Mobile app developers can no longer neglect cyber threats

As the use of mobile apps continues to skyrocket, it’s crucial for developers to acknowledge the existence of blind spots and take proactive measures to address them. The protection of user and company data should be at the forefront of every mobile app development process. 

By adopting risk assessment practices, implementing secure coding practices, conducting regular security testing, and keeping vigilance through continuous monitoring, developers can significantly reduce blind spots and enhance the security of mobile apps. 

As technology evolves, so do the techniques employed by cybercriminals. Mobile app developers must remain agile, adaptable, and committed to staying abreast of emerging threats. By prioritizing mobile app security and addressing blind spots, developers can ensure the safety and, just as importantly, the trustworthiness of their apps, enabling users to enjoy the full benefits of the app experience with confidence and ease.

So shine a light in shadowed corners, 
Scan each code for spectral mourners; 
Let no ghost in the machine remain, 
Lest your apps cause you pain.