Understanding the Risks and Best Practices for Mobile Security
By Kylie M. Amison, Technical Reporter, Cyber Defense Magazine
Mobile devices have become indispensable companions in our daily lives, offering us instant access to a world of information and services. On average, mobile users interact with more than 20 applications each day, making these handheld marvels central to our digital existence. However, following suit with all of the other technology trends, as our reliance on mobile devices grows, so does the threat landscape surrounding them.
Recent headlines have highlighted the dark side of our mobile dependence. An Iranian-focused hacking group known as Black Reward has once again targeted the Iranian government, this time through a financial services app used by millions of Iranians for digital transactions. The group pushed messages of protest and resistance, highlighting the ongoing struggle for freedom. This breach not only underscores the vulnerability of mobile apps but also the far-reaching impact of mobile-related security breaches. In another instance, American retailer Hot Topic recently faced a credential-stuffing attack on both their website and mobile applications that exposed sensitive customer information, including names, email addresses, order histories, phone numbers, mailing addresses, and birthdays. And it’s not just retail consumers who are at risk. Healthcare giant UnitedHealthcare recently issued warnings following a mobile app breach that exposed member information. Between February 19, 2023, and February 25, 2023, suspicious activity on the app potentially led to the release of sensitive data, including names, ID numbers, dates of birth, addresses, dates of service, provider information, and insurance details. These breaches should serve as a stark reminder that cybercriminals are actively exploiting vulnerabilities in mobile applications, capitalizing on lax security measures.
The prevalence of such breaches highlights the pressing need for comprehensive mobile security strategies. Traditional security measures often fall short when it comes to safeguarding mobile apps. Mobile Application Security Testing (MAST) programs frequently fail due to poorly defined security requirements and a reliance on outdated web application security testing (AST) tools. The successful MAST programs of today involve comprehensive policies founded on industry standards, developer education, and purpose-built automated testing tools.
As organizations rush to adapt to digital transformation and agile app development practices, security often takes a backseat to speed. Traditional web AST tools are notorious for generating false positives, and manual testing approaches can impede the pace of agile methodologies. To deliver secure mobile apps faster, organizations must leverage automated tools developed by mobile experts, integrate them seamlessly into their development workflows, and configure risk-based policies based on industry best practices, such as those defined by OWASP. OWASP has long been celebrated as a highly respected industry standard for web application security. However, as the popularity of mobile apps surged, it became evident that the risks and attack surfaces in the mobile domain fundamentally differed from those in web applications. This realization demanded a fresh approach to mobile app security testing, one tailored specifically to the unique challenges posed by mobile platforms. For a comprehensive guide on building and executing a risk-based security policy using industry standards like the OWASP Mobile App Security (MAS) Project, be sure to explore the NowSecure resource, “An Essential Guide to the OWASP MAS Project.”
Skyrocketing mobile app usage for everyday organizational processes necessitates Mobile AST to mitigate the costly consequences of data breaches, which can include financial losses, system downtime, and severe brand damage. Failure to apply security testing best practices often results in published mobile apps that collect and inadvertently leak vast amounts of personal identifiable information (PII), potentially violating critical data protection regulations. In fact, recent findings from Pixalate, a leading fraud protection, privacy, and compliance analytics platform, paint a concerning picture of children’s privacy within the mobile app landscape.
According to Pixalate’s Q1 2023 Children’s Privacy Risk Report, a comprehensive analysis of nearly 1,000 popular U.S.-registered mobile apps in the Apple App Store and Google Play Store revealed alarming statistics regarding compliance with the Children’s Online Privacy Protection Act (COPPA). Out of the 859 U.S.-registered apps likely subject to COPPA in the Google Play Store and Apple App Store, a staggering 23% (193 apps) were found likely non-compliant with COPPA’s disclosure obligations. Approximately 4% (33 apps) failed to comply with COPPA’s online notice provision by not posting a privacy policy. Of the apps with a privacy policy, 22% of those on Google Play and 13% on the Apple App Store did not meet the disclosure obligations of COPPA. These findings underscore the urgency of addressing privacy and security concerns within the mobile app landscape, especially when it comes to applications used by children. While mobile apps offer incredible convenience and utility, they also expose users, particularly the most vulnerable, to significant risks.
In a world where mobile devices are our constant companions, acknowledging vulnerabilities and taking proactive steps to secure our mobile ecosystems are essential for ensuring a digital future where convenience and security coexist.
About the Author
Born and raised in Hamilton, N.J., I am now residing in the DC metropolitan area after recently becoming a George Mason University alum. While at GMU, I obtained my Bachelor of Science degree in Cybersecurity Engineering with a minor in Intelligence Analysis. Along with writing technical pieces for CDM, I am working full time at leading mobile security company, NowSecure, as an Application Security Analyst where I do all types of fun things like exploit vulnerable apps, secure mobile application development, and contribute to exciting projects and important initiatives that are consistently highlighted thought the security industry. In addition, I also work part time with startup company, Auspex Labs, as a Cybersecurity Software Developer, where I am the main developer on DiplomacyTM, a geopolitical threat intelligence engine that combines a broad assortment of metrics and NLP sentiment analysis to calculate nuanced and real-time threat scores per nation state. Working at Auspex has been pivotal in my knowledge in creating secure software and has given me the opportunity to not only develop my first product, but to also start my own startup company, productizing the software and capabilities created in DiplomacyTM. Which brings me to my final endeavor, I am presently co-founder and CTO of Xenophon Analytics, a company that grew from shared interests in international political affairs and my project of building the geopolitical risk engine. When I’m not researching or coding, you can find me watching anime, reading Sci Fi, painting, or playing with my dogs! My ultimate goal in life is to learn every single day, and I’m proud to be doing just that. I love to chat about all thing’s tech and security, so feel free to shoot me a message anytime.
Kylie can be reached online at [1] or on LinkedIn https://www.linkedin.com/in/kylie-m-amison-8665a7194/