Expert view of Caroline BORRIELLO, COO of Pradeo
Behind this positioning is the observation that mobile uses have grown rapidly, both in the personal and professional areas, and the market's desire to respond to this demand. Now mature, and aware of the identified risks, the mobile application market must reinforce its security-by-design approach.
Users’ incredible appetite for mobile applications
It was only 15 years ago: Steve Jobs presented the first smartphone. Far from the standards of the time, these new devices were simply small mobile computers. Just over a decade later, in 2019, mobile Internet usage has even surpassed that of traditional computers. The market for mobile applications has grown at lightning speed, and there are now applications for just about everything!
The approach to developing these applications has therefore, and quite naturally, focused on speed and drastically reducing time-to-market: you must move quickly to create an application (before another publisher has the same idea) and offer functional updates as often as possible, to maintain user satisfaction. Therefore, to simplify developers’ work, some technical or functional bricks, such as libraries for example, are already available on the market. But are they always reliable?
Given the urgency, security has not always been the top priority. Up to 75% of the mobile applications tested by Pradeo contain vulnerabilities, sometimes even among the best known, or include abusive behavior regarding data use, leading for example to risks of theft or data leakage. Far from being anecdotal for a user in his private sphere, the risk is even more critical for professional uses. Very often, these threats come from third party libraries or open source code integrated in applications.
Mobile applications: known risks, aggravated for companies
Smartphones are subject to the same risks as any other digital terminal: compromise of sensitive data (personal data, credit card numbers, various passwords, etc.), usurpation of user's identity, etc. However, due to the specific ergonomics of cell phones (smaller screen, , background applications, etc.), the traps are not always easily identifiable and riskier behaviors may appear.
When smartphones also have direct access to a company's systems, the results can be catastrophic. From data leakage, deplorable for the image of the victim company, to ransomware capable of rendering an information system or an industrial production line completely inoperative, and even of putting lives at risk (hospital information system), the potential consequences of an intrusion are as serious as the increasing number of cell phones accessing organizations' information systems.
A danger that also weighs on the application publishers themselves: in the event of a proven compromise of an application that they have published on the application stores, they will be under the spotlight. With a tarnished reputation (for all their applications if they publish several), a loss of user confidence and possibly a civil or criminal liability, depending on the proven consequences.
Security: A native element
In the same way that raising users' awareness of the security of their personal data, or the security of their company, has made it possible to limit a certain number of risks on computers, awareness of the dangers on mobile devices should have the same positive effects. But this is far from sufficient, as it is difficult or even impossible to identify certain threats.
More than users, the burden of securing applications falls on developers and publishers. This effort must be made from the very first sketches of the application and throughout its life cycle, including corrective and functional maintenance. In other words, it is a matter of integrating security right from the design stage of application development.
In concrete terms, the first element of a secure application is reliable code: the use of third-party code is obviously possible, provided that it is verified. Then, the application must be obfuscated, in order to avoid reverse engineering and thus limit the risks of intellectual property theft or usurpation of the application for malicious purposes. In addition, the application can have intrinsic protections, on the client side with, for example, the disabling of functionalities on a compromised device, or on the server side with the detection of potential clones.
In short, it is time to apply the same principles of security-by-design to the mobile world that have long been accepted in more traditional IT uses, on computers.
Pradeo's Application Security Suite
To facilitate the protection of applications, Pradeo offers to companies that develop applications, publishers and agencies, a security suite that ensures the protection of mobile applications and their associated web services, from the development phase to operations: