Make it easy to build in mobile application security
“Security teams can provide developers with easy ways to do the right thing,” Sethi said. “They can create libraries that make it easy for developers to implement functionality in secure ways.”
Douglas also said that developers are increasingly open to “building security in” to mobile apps during the SDLC, especially when it can be a more seamless part of the process. At least some of them also see the long-term benefit—it takes less time and money to fix vulnerabilities early and throughout development than to try to patch dozens to hundreds of bugs that penetration testers find just before an app is due to go into production.
“Many frameworks exist for mobile platforms that cover security concerns and allow developers to abstract themselves from some of the more challenging decision/implementation woes,” he said.
Thomas Richards, principal consultant at Synopsys, agreed. “Designing security in is the best approach and is also the cheapest,” he said. “Setting security requirements early on and performing threat modeling can eliminate many security issues before code is written.”
Not getting the message
As of yet, another study finds that the message isn’t getting through enough of the time. Billions of people are walking around with a virtual data bomb in their pocket. According to App Annie, the average smartphone user has 60-90 apps installed on his or her phone, uses around 30 of them each month and launches nine per day.
What will it take to change the current reality? Users could demand better mobile application security. “If they are willing to pay more for solutions with robust security than for ones without, organisations will take action,” said Dunkelberger’s team member.
But the reality is, they haven’t yet and likely won’t. As Bruce Schneier, blogger, author and CTO at IBM Resilient Systems said years ago while lobbying for more aggressive government regulation of Internet of Things (IoT) security, consumers “don’t care because they don’t know enough to care.”
Other solutions for mobile application security
Dunkelberger’s colleague offered two: “Entities with regulatory power, such as App Store providers like Apple or Google, or government regulatory entities, must require a minimum level of security. And a practical approach would be to change the platform APIs [application programming interfaces] that are secure by default.”
Enable developers to build security into mobile applications
Douglas agrees that while users bear some responsibility for their own security while using apps on their mobile devices, such as using secure passwords and not installing apps from untrustworthy sources, “the bonus does fall mostly on the developers. They control how and where data gets stored, how long it gets stored, how secure that data is. The developers control how authentication works, how frequently the user has to re-prove their credentials, etc.”
Zach Lanier, principal research consultant at Atredis Partners, said beyond making security part of design, development and testing, developers should educate themselves “on the benefits and shortcomings of their stacks—everything from the languages and frameworks they use to the security features of the platform(s) on which they build—and ensuring they take advantage of those features where possible.”
Do authentication better
Most experts agree that for both developers and users, the only way to make mobile application security mainstream is to make it easy. Convenience will trump security every time.
Lanier said part of that is transparency—that developers should notify users “about what changes or updates they make, especially as it relates to addressing any security issues that have been identified.”
For Dunkelberger, one practical way to do that is to make authentication more robust with that method.
“With FIDO, the API is crafted carefully to be secure by default, and the authenticator is implemented by the platform, supporting various methods to verify the user—not only PIN, but also biometrics,” he said. “Additionally, the authenticator can ask the user to provide the required verification data—taking the mobile application out of that equation.”
Better authentication is indeed one significant way to improve mobile application security. But as Richards notes, it is still the responsibility of developers “to develop their application securely and consider security risks early and often while developing and supporting the application.”
And we’re still waiting for that to happen.