Mobile apps power revenue generation, customer engagement and analytical insights. They account for 70% of all internet traffic, and data shows they will generate $935 billion in 2023. However, economic uncertainty has many organizations looking for ways to develop and secure their mobile apps while containing costs.
With mobile apps being vital to business successes, there has never been a more important time to prioritize mobile app security.
Many well-known organizations have felt the impact of launching mobile apps with security and privacy weaknesses. Here are some of the more prominent cases:
- Chick-fil-A faced criticism after a mobile app breach compromised 71,000 user accounts.
- Hyundai and Genesis received backlash after security researchers discovered post-2012 car models shared a vulnerability that allowed threat actors to access MyHyundai and MyGenesis mobile apps.
- Under Armour dropped 3.8% in market value after a vulnerability in the MyFitnessPal mobile app allowed threat actors to steal personal information from more than 150 million customers.
- British Airways also experienced a major market share drop after a mobile app security breach leaked 380,000 credit card payments and personal information.
The costs of neglecting mobile app security outweigh any investment in mobile AppSec. But organizations can maintain strong mobile app security and improve efficiency without overspending.
Organizations looking to balance coverage and cost-savings in their mobile AppSec programs should consider the following strategies:
- Replace internal/external penetration testing with automation: Small and mid-sized organizations often outsource their mobile app pen testing at a cost of $15,000 – $25,000 per test. For organizations testing twice a year, these costs can grow to $30,000 and $100,000 annually. Conversely, large-scale organizations that conduct internal pen testing must pay employee salaries and provide the technical resources to do their job effectively. Instead of relying on manual pen testing, mobile AppSec teams can use mobile application security testing for unlimited testing of builds every day for as low as $40 per day, substantially reducing costs while dramatically increasing test frequency. As a bonus, continuous automated security testing eliminates 2-4 week wait times for manual pen tests.
- Establish standards policy in pre-production: Establishing mobile application security standards make it easier for development and security teams to agree in advance about what they do or don’t have to address before the mobile app launches. Devs will know how to write code and security analysts will know what to test, driving alignment and efficiency. Designing a standards policy based on the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) ensures mobile apps meet a baseline level of security against a globally trusted security standard. OWASP MASVS also offers the foundation for the App Defense Alliance (ADA) Mobile Application Security Assessment (MASA) to meet Google Play Data safety requirements.
- Integrate automated testing into the DevSecOps pipeline: The status-quo approach to mobile AppSec testing usually involves testing at the end of the dev pipeline. Internal or external security analysts run manual tests and then notify devs about critical issues and Google Play/Apple app store blockers. This approach often leads to release delays; Devs must wait on security analysts to deliver results, and then spend time and resources to fix issues before the mobile app launches. Alternatively, teams can shift left and deploy automation into their CI/CD platform to avoid testing at a fixed point in the DevSecOps lifecycle. After devs write new code, automated security testing completes an assessment and generates issue tickets noting security bugs or policy mistakes. Using automated testing products with built-in remediation information further improves efficiency by helping devs save time searching for options on Google and Stack Overflow.
- Upskill devs on secure coding practices: Developing mobile apps securely from the start remains one of the most effective ways to reduce costs in mobile AppSec. But not all devs and security analysts know the differences between web vs. mobile architecture. Many devs apply their web-based skills when working on mobile apps without realizing those skills don’t always translate. Mobile apps require unique methods to reduce security and privacy risks. Devs can improve their mobile app development knowledge at no extra cost. Free online courseware helps devs improve code quality and reduce the frequency security issues throughout production. Highly-skilled devs write secure code faster, speeding up the production lifecycle and lowering development costs. This reduces testing requirements for security teams, ultimately decreasing their labor and resource costs.
Don’t let budget constraints get in the way of securing mobile apps. Use these cost-effective mobile AppSec strategies to help dev and security teams improve efficiency, reduce costs, and ship secure mobile apps faster.
Brian C. Reed, chief mobility officer, NowSecure