As of 2018, more than 194 billion mobile apps had been downloaded from app stores, according to Credence Research. The global mobile app market was valued at $109.67 billion in 2018 and, at the time of the report, was set to see a 15.60% compound annual growth rate during the forecast period (2019-2027), according to the firm.
Although only a small fraction of mobile applications will be used in the enterprise, the tidal wave of mobile apps off-the-shelf, corporate-developed and sponsored creates substantial new challenges. For DevOps teams, it means they must make their internal processes more agile and efficient. That’s a good thing. But it also means they face a critical step securing those apps, which can add weeks to development times and cycles.
One problem is mobile apps run outside of the confines of corporate networks and can access services across the public internet. This makes mobile applications a huge security vulnerability point–especially if they aren’t architected properly and configured with proper security and access controls.
A report by WhiteHat Security offers a stark reminder that mobile apps are riddled with security flaws, many of which go unremedied. Based on 17 million application security scans carried out in 2018, the firm found a 20% increase in vulnerabilities in the applications organizations tested for security flaws. Complicating matters, most enterprises face the risks presented by the use of personal mobile devices by their employees.
It is not uncommon for enterprise users to have 15 to more than 80 enterprise applications on their devices. Enterprises must have control over the app and the data in the app before permitting widespread deployment.
“That simply visiting a website can lead to your iPhone being hacked silently by some unknown party is worrying enough,” said Thomas Brewster, a cybersecurity reporter for Forbes, in reference to a recent, successful hack of an iPhone. “But given that, according to Google researchers, it’s possible for the hackers to access encrypted messages on WhatsApp, iMessage, Telegram and others, the attacks undermine the security promised by those apps.”
Challenges of Securing Mobile Apps
Why is app security such a challenge? For one thing, securing apps before release doesn’t happen just once; every time an app or OS is updated, whether pre- or post-release, it must be secured again.
Today, it takes an average of five weeks to secure a mobile app before launch.
What’s more, when third-party libraries used by the app are updated, the app must be secured again. DevOps teams need to ask themselves: “How much of the time during which this app is in production will it be vulnerable to a security breach?”
But integrating security into mobile apps gets even more complex. Here’s why: Integrating app security by manual coding is hugely time-consuming and error-prone, given that implementing cybersecurity isn’t everyone’s cup of tea. For example, a developer may not implement the data security APIs everywhere in the app, resulting in some data being written unprotected.
And another factor tangential to security–device adoption–enters the picture. Employees expect corporate-authorized and distributed mobile apps to provide the same user friendliness as any consumer app they are accustomed to. If an app is not easy to use they will shun it, and enterprises won’t derive the business and process benefits they expect from mobility. Enterprises that attempt to secure their mobile apps may resort to forcing employees to use a managed, corporate-supplied device in order to use the app, or introduce a cumbersome VPN/login experience that will allow employees to access key data on remote servers from within the app.
In short, such security practices, while they may secure data, make the mobile app inconvenient, cumbersome and difficult to adopt and use.
What Can Be Done?
Today, many of enterprises’ mobile security protocols and practices are rooted in manual methods, and DevOps and security teams struggle to place security-hardened devices and apps in production. But two practices remove virtually 100% of the issues that plague enterprise teams today.
No-Code Security Integration: A no-code security integration solution can embed military-grade data encryption into apps and deliver the enterprise-level security controls that organizations need to ensure that corporate data is always safe, even when the device isn’t under enterprise controls.
Securing the App, Not the Device: Securing mobile apps–not the endpoint devices or device-resident containers they run in–decomplicates security while significantly reducing security risks. This practice enables developers to automatically embed the security controls into the organization’s apps, and it enables employees to use those apps without having to deal with device security restrictions.
What’s more, when an app or the OS behind it changes, it’s a trivial matter to re-secure the app.
Smart users of mobile devices take precautions to safeguard their data from hackers. While that’s a prudent move, the real job starts with the DevOps and security folks to solve the security-integration Rubik’s Cube once and for all.