Mobile app security can be very challenging. It’s an attack surface that is often an easy place for hackers to gain access to sensitive information. After all, we use our mobile devices for almost everything from our work to personal lives, and they end up storing an enormous amount of data. This puts them at risk for a serious breach. It also has the potential to negatively impact your company’s relationship with your clients, as the expectation is that you will protect and respect their privacy.
But mobile app owners and developers are receiving a failing grade on due diligence and protecting consumer data.
As a result, mobile apps do not do a good job of protecting personal data. According to the “Vulnerabilities and Threats in Mobile Applications, 2019” report from Positive Technologies, insecure data storage is by far the most common vulnerability identified in applications, with 76% of those examined found to demonstrate this as a security risk, potentially putting the privacy and security of users at risk.
Data breaches are becoming everyday news, and the ramifications of data breaches can be far reaching and last for years. A substantial number of hacking attacks are enabled by exploited application security vulnerabilities. Cybercriminals often go after users’ personally identifiable information (PII), user credentials, and financial and medical information to perform multiple types of frauds and identity theft.
Eduardo Cervantes, former manager of Sentinel Mobile at Continuous Dynamic™ says, “The impact of data abuse can be on individual level, business level, or societal level. An individual could be a subject of identity theft, fraud, or a serious crime if a malicious threat actor lays hands on personal data that’s collected by your app. On a business level, it could be competitive situation where one app leverages user data to gain an unfair advantage. Social impact can be immense and far reaching. Take, for example, the Cambridge Analytica data scandal where the political firm accessed private data of millions of Facebook users to influence elections. It’s important to protect user data and be aware that your app could be contributing to a much larger problem if the stored data can be hacked, stolen, or leaked.”
Collecting large datasets creates increased risk, and most security teams and app developers are not aware of best practices on protecting PII and the implications of sensitive data sharing.
Most apps collect data that far exceeds what is necessary for the app. Use these best practices to reduce the risk to user data.
Security best practices must be developed even before planning the design and coding. How can you make your code less vulnerable? Test for vulnerabilities throughout the software development life cycle. Implementing security by design and providing the right tools to your developers to vet the apps earlier in the life cycle helps prevent security gaps as the applications are designed, developed, and tested.
Security engineers, mobile app developers, and mobile app business owners must all take steps to implement guidelines and best practices on the collection, sharing, and storage of sensitive data. The more the developers integrate security into the design, the safer applications will be when they are pushed to production.
Organizations handle the security of the sensitive data poorly are bound to lose trust—and that’s a huge risk to their survival. Data compliance regulations and the penalties of noncompliance are making companies more aware of the sensitive data they collect and share, and how they secure it.
GDPR, CCPA, and other data protections laws ensure industry-wide privacy regulations, so companies need to be more aware of what data they keep and how it’s stored. App owners need to understand the data they have on all their users. And they must communicate to the user how the data is will be used, including third-party usage.
Checkbox compliance does not mean that you are holistically secure, but it is a good first step to ensure that you’re doing due diligence to protect sensitive data.
The National Institute of Standards and Technology (NIST) offers specific, security-focused guidance on how organizations can minimize their mobile app risks. Over the last few years, NIST has been updating its app-vetting recommendations to emphasize the need for security and privacy built-in by design. The NIST Privacy Framework provides recommendations and best practices on how organizations can ensure the security of mobile applications.
As business owners, app developers, and members of a security team, we can do better. Let’s practice what we preach to protect sensitive data, stay in compliance, and continue to invest in platforms and services that help secure applications, networks, and devices. It’s time to take mobile security and data privacy seriously.