The Top 10 Biggest Security Risks to App Owners in 2017
There has been a dramatic increase in the use of mobile devices over the past few years. GSMA Intelligence research put the number of mobile devices worldwide at over 8.17 billion in July 2017. However, this number is expected to swell to 11.6 billion by 2020.
This means there’s a burgeoning market for app owners and the sky is the limit. But there’s one glaring issue: the inherent security risks.
Studies found a 262 percent increase in iOS vulnerabilities between 2011 and 2015, and Gartner reports that 75 percent of mobile apps would fail basic security tests. With cyber criminals becoming increasingly sophisticated, the stakes are becoming higher and higher.
This is a real concern for app owners and one that should be taken seriously. Here are 10 of the biggest security risks that app owners should be aware of in 2017 and how to combat them.
1. Leaking sensitive data
Sensitive data such as user IDs, passwords, financial information, etc. can be compromised when critical security controls fail to be implemented correctly. This creates a gap in security that enables unauthorised parties to obtain sensitive data, which can have a host of negative consequences.
Developers and app owners can mitigate this threat through proper user authentication and encrypting data. Although there are never any guarantees, this heightens app security significantly.
2. Unauthorised access
As just mentioned, user authentication is a critical part of defense. The app must be capable of ensuring that the user is who they claim to be and able to identify the true user. Otherwise, it creates a framework where attackers can potentially gain unauthourised access.
It’s vital that developers address the issue of authentication head on when the app is being designed and created. For instance, multiple failed login attempts should temporarily lock a user out for a designated period of time and this should be logged for future reference.
3. Code injections
Code injections occur when attackers are able to access the database of your app and insert malicious code into it. “Injecting” unwanted code like this can result in major issues like denial of access, data loss or corruption, and in some cases, a total takeover.
The scary thing is that this type of attack isn’t all that hard to execute and can be done by almost anyone with Internet access. It’s something that your average script kiddie is completely capable of pulling off.
According to the Security Checklist for Web Application Design from The Sans Institute, “SQL (Structured Query Language) injection is the most prevalent. SQL injection attaches specifically to a parameter that passes through to an SQL database allowing an attacker to modify, erase, copy, or corrupt an entire database.”
Avoiding this problem typically begins by identifying vulnerable code, which can be done through crowd testing. Once identified, the code should be rewritten. From there, secure APIs (Application Program Interfaces) should be implemented to prevent additional code from being inputted.
4. Inadequate API protection
Given that APIs often utilise complex data structures and may lack a user interface, it can be difficult to perform security testing on them. This of course can create issues for developers when underprotected APIs possess inherent vulnerabilities.
Attacks can occur when unauthorised parties use reverse engineering or communications interception to examine your app’s code. They can then send requests to your API, which can have devastating consequences. Some potential outcomes include denying access to legitimate developers, stealing sensitive data or destroying it. One of the best ways to increase API protection is to utilise strong authentication.
5. Remote administration vulnerabilities
We’re living in a globalised world where individuals working on the same project may work in different states or different countries. This has made it increasingly common for members of a development team to access an app’s database via remote connections. In many cases, it’s simply not viable nor practical for an entire team to work from a single, fixed location.
Although remote administration may be more efficient and practical, it can also create security concerns. If unintended individuals are able to make changes, this can quickly open a can of worms.
Therefore, it’s critical that team members are given specific roles and everyone understands who is allowed to make what changes. Implementing a secure policy is ideal for creating basic parameters and managing access.
6. Inadequate threat protection
A 2015 Trustwave Global Security Report found, “There were a median number of 20 vulnerabilities in applications. The median number of vulnerabilities discovered over the course of 574 data breach investigations was more than three times higher than the median number of six vulnerabilities per app tested in 2013.”
The sharp rise in vulnerabilities indicates inadequate threat protection across the board for most developers. While many teams use runtime application self-protection security (RASP), it can result in both performance and security issues. As a result, more and more teams are turning to security testing to spot vulnerabilities through simulated test attacks so they can take the necessary action to reduce the likelihood of threats.
A 2015 Trustwave Global Security Report found there were a median number of 20 vulnerabilities in apps, three times higher than in 2013.
7. Continuing to use vulnerable components
Here’s the scenario: Your app has a known vulnerability that was either formally publicised or widely discussed in an open source community. The specifics surrounding the vulnerability are now public knowledge and anyone with nefarious intent could potentially exploit the vulnerable components with relative ease.
This quickly compromises security and opens your app to a variety of attacks. Any time a vulnerability such as this is made public, it’s vital that it’s quickly fixed.
It’s also wise to use caution when disclosing sensitive information with outside sources. You may want to create a policy that puts limitations on what types of information your development team is allowed to share.
8. Session id attacks
This is when an unauthorised user “attacks” a session and steals the identity of a valid user. In turn, they have access to sensitive data and can wreak havoc on an application. The best way to protect a program is by encrypting sessions and randomly assigning session IDs so that they can’t be predicted.
9. Cross-site scripting
If your app allows user input without maintaining control over the output, it can definitely be at risk for cross-site scripting. One way you can minimise this threat is to require input validation.
10. Failing to properly test security functionality
You may be surprised at the number of development teams that fail to properly test the security functions of their app. This is often the result of one of two things — a limited budget or a rush to release.
According to a 2015 study from the Ponemon Institute, “65 per cent of respondents say the security of mobile apps is sometimes put at risk because of customer demand or need. 38 per cent of respondents say their organisations do not scan for vulnerabilities.”
It’s easy to understand why some developers skimp on security testing. Often times, smaller enterprises lack the resources and believe testing is not financially feasible.
Other times, developers are so rushed to come up with a finished product, they don’t leave time to properly address all of the potential security flaws. Nonetheless, this can lead to some adverse consequences and put developers, as well as end users, at unnecessary risk.
According to a 2015 study from the Ponemon Institute, 38% of respondents say their organisations do not scan for vulnerabilities.
Security is a major concern for any app developer. Taking the time to address security vulnerabilities is essential.
As threats continue to increase, app users are taking notice and want to have peace of mind that their personal information will remain safe. Consequently, it has become quite common for users to explore other options that can offer a safer experience.
Failing to take security seriously can have a negative impact on companies as app users are highly likely to switch to a competitor’s app if it has tighter security. This can be as high as 80 percent or more in some industries.
Just think of the impact if four out of five of your app users jumped ship because of low security standards. Not only can this type of mass exodus adversely impact your sales, it can bury your brand reputation as well.
That’s why more and more developers are turning to crowd testing as a means of identifying and resolving potential issues. Though it may slightly push back the release of an app, it will bring vulnerabilities to your attention and give you the chance to tighten security, as well as create a better overall user experience.
More importantly, remote administration security should be a top priority. Some possibilities include a virtual private network (VPN) and user authentication.