A fall 2023 survey of 100-plus cybersecurity professionals conducted by Information Security Media Group explains how compromised mobile apps can expose enterprise servers, back-end systems and private data to illegal and harmful exploits and described a concerning lack of threat awareness among CISOs.
One of the bigger revelations is the perception that while 35% of respondents think most apps in the wild are secure, 77% rate their own apps as moderately or highly secure. Independent studies have found that 70% or more of published apps are unprotected, so their perspective of the market as a whole is likely closer to reality than the respondents’ perception of their own apps, said Verimatrix, which commissioned the study.
While apps may comply with Apple and Google app marketplace guidelines for DRM and authentication, those guidelines don’t extend to API security, code and key obfuscation and other security considerations which, if ignored or poorly implemented, represent threats of their own.
While cost is cited as a reason for the lack of security implementation in apps, lack of awareness may be a more important factor as app security costs are relatively low in relation to the potential scale of risk. It’s an echo of the pay TV industry’s perception 20 years ago that security was a penalty and was a needless expense. But if an app is breached, its contents are open to exploitation, which can compromise trust or violate agreements between business partners.
While building apps requires specialized knowledge, 62% of app providers turn to in-house resources for app development; up from 50% in 2021. This makes it all the more important that security threats are recognized, mandated, tested, verified and enforced both upon initial release and ongoing.
State of Enterprise Mobile App Security, 2023 Survey Results. Report. December 2023. iSMG Information Security Media Group, commissioned by Verimatrix
Why it matters
Verimatrix concludes that CISOs and cybersecurity teams need to be far more aware of the dangers posed by insecure mobile apps, embrace the responsibility for fixing vulnerabilities – given the negative consequences.
“What’s the cost of an attack happening? The cost of an attack is huge – to your brand, your revenue and your customer confidence – and everybody knows that,” said Jon Samsel, Verimatrix SVP Global Marketing. “Cost is not the issue here. It could be that mobile app security is lower down on the priority list, so they’re spending money on other things. Cost could be only a minor factor.”