Is Your App Secure? How Crowdsourced Testing Finds Critical Risk
Mobile app development has experienced unprecedented growth in recent years. As of January 2017, the Apple App store held close to 2 million apps, while Google Play had over 2.2 million. That number is only going to increase in upcoming years.
With mobile usage now exceeding desktop usage, it’s an exciting time for brands launching apps and bringing them to the masses. Unfortunately, this growth has been somewhat of a double-edged sword simply because of the surge of security vulnerabilities that have spawned as a result.
A 2015 report by FireEye found that:
The number of Android vulnerabilities increased by 188% from 2011 to 2015, and the number of iOS vulnerabilities increased by 262% during that period.
According to Gartner, more than 75 per cent of mobile applications would fail basic security tests. These alarming statistics show just how susceptible apps can be to attacks. So what can app developers do about it?
One of the most effective solutions is crowdsourced testing where an app undergoes rigorous analysis to identify security flaws and vulnerabilities. Here’s a brief overview of the process and how it can help you determine whether or not your app is secure.
There’s a concept known as ethical hacking, where a team of experts systematically execute security penetration testing on your app. These experts are often registered members of major security groups such as OWASP, NULL and DEFCON.
Their job is to find potential flaws in your app before actual hackers do. More specifically, “Ethical hackers use the same methods and techniques to test and bypass a system’s defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organisation can improve its overall security.”
Security testing typically takes place toward the end stages of development just prior to launch. By pinpointing and addressing critical errors, you can bring your app to market with greater confidence and ensure a safe, secure and more seamless UX.
There are a plethora of elements that collectively contribute to app security. Some of which include:
- The overall app framework
- Configuration management
- Security transmission
- User authentication/authorisation
In order to ensure complete app security from top to bottom, crowd testers will gather information on these key areas. This involves a dedicated team manually exploring your app and searching for potential flaws that attackers could exploit.
The team will then gather intelligence and ultimately provide a report on the risks you face before launch. In turn, this enables you to work out any kinks that could compromise security later on.
Common attacks crowd testing can prevent
Flaws in one or more of the aforementioned components can have a host of adverse consequences. For instance, issues with user authentication can create a situation where unintended third-parties could potentially gain access to your database.
Here are some specific forms of attacks that can be prevented through crowd testing:
- Code injection – This is when an attacker inserts malicious code into your database. It can lead to denial of service, data corruption or in a worst case scenario, a complete takeover
- Cross-Site Request Forgery – An attacker can take control of a user’s browser and steal sensitive information
- Cross-Site Scripting (XSS) – Similar to code injection, an attacker tricks a browser into accepting what looks like innocent code and allows them to get past security parameters. From there, they can exploit an app, control the user’s browser and spread viruses
- API Flaws – It’s all too easy for an API to have gaps in security. This is often the catalyst for distributed denial of services (DDoS) attacks. Crowd testers will closely examine API structure and configuration to spot issues
Of course, these are only a fraction of the attacks that apps can fall prey to. Allowing a team of qualified crowd testers to examine security can unearth numerous other vulnerabilities that you’ll want brought to your attention. At that point, measures can be taken to resolve serious flaws before they become a liability.
Understanding security risks
Prior to deploying an app, you’ll want to have an in-depth understanding of its capabilities as well as its strengths and weaknesses. You’ll most likely have a grasp of your app’s functionality and usability. However, it’s equally important to understand the full scope of security risks.
Critical errors put your team, as well as the end user, at risk. Part of the reason why developers are reluctant to become acclimated with the security end of things is simply because of the complex nature of security and the wide array of terms that are involved.
If this aspect of app development isn’t your strong suit, a team of crowd testers can streamline the process and bring to your attention any key components that demand your attention.
The dangers of premature app deployment
Besides a lack of understanding of security issues, a “rush to release” approach can have some unsavory consequences. In fact, this is the catalyst behind many mobile app vulnerabilities. Often times, developers are unable to adequately approach security simply because they’re pressed for time.
The State of Mobile Application Insecurity conducted by the Ponemon Institute in 2015 found, “65 per cent of respondents say the security of mobile apps is sometimes put at risk because of customer demand or need, and 38 per cent of respondents say their organisations do not scan for vulnerabilities.”
It’s understandable that developers can feel the pressure to release a final product considering the insatiable thirst of many of today’s app users. But this puts security in jeopardy if you’re unable to work out the kinks first. Crowd testing is a viable solution because of the speed in which it can be performed (often five days max).
The necessity of app security
Flexera Software’s Vulnerability Review 2016 found that vulnerabilities were far more prevalent than most developers would like to think. More specifically, they found a total 16,081 vulnerabilities in 2,484 applications from 263 vendors.
This was a dramatic increase of 39 per cent from the preceding five-year period. It’s not a trend that developers want to see, but it’s a harsh reality that should be acknowledged. Statistics like these show the gap in security that many development teams are facing.
When it comes to end users, they definitely have their reservations about using an app where security is merely an afterthought. A growing population of app users understand the severity associated with security risks making security an integral factor in deciding which apps they will use. Research has even found that a significant portion of users will jump ship to a more secure app.
Failing to eliminate flaws and vulnerabilities is simply bad for business. Not only that, it can quickly diminish your brand reputation and negate any progress you’ve made within your industry. Just imagine the implications of mass exodus due to a security issue. With negative publicity spreading at an alarming rate, this can drag your brand’s name through the mud.
The efficiency of crowdsourced testing
It’s also important to point out that crowdsourced testing tends to be a far more efficient strategy than traditional testing. The beauty lies in the volume of testers and the number of “person hours” that are logged.
To provide a quick comparison,traditional testing usually means two or three full-time testers and only 300 person hours. However, crowdsourced testing equates to 50+ part-time testers and over 1,250 person hours. You can also choose specialists depending on your unique needs.
Having this size of a tester pool is ideal because you’re more likely to identify critical weaknesses in your app’s security. Considering the diversity of backgrounds that you get with this volume of testers, you can gain a more comprehensive overview of the state of security.
Crowdsourced testing typically takes just two to five days, while traditional testing takes 10 to 20 days, and often more.
Not only does this get you tangible results quicker, it makes sense from a financial standpoint as well.
The key is to set your security bar higher than regulatory and governing bodies because these entities often lag behind the more sophisticated cyber criminals. As attacks continue to become more advanced, this will be essential for maintaining the tightest security standards.
If you’re simply following security guidelines set in place by regulatory bodies, you’re almost always sure to be behind. In the never-ending cat-and-mouse game of cyber security, attackers are a constant threat, and development teams must remain diligent in keeping their apps secure.
While traditional testing or even using a security testing tool can help, they’re simply no replacement for the comprehensive analysis that takes place with crowdsourced testing. This is a proven technique for spotting and eliminating vulnerabilities pre-deployment.
Not only does crowdsourced security testing optimise the UX and keep end users safe, it can help maintain and grow your brand’s long-term reputation, which is vital in today’s increasingly saturated market.