Page 109 - Cyber Defense eMagazine October 2023
P. 109
another instance, American retailer Hot Topic recently faced a credential-stuffing attack on both their
website and mobile applications that exposed sensitive customer information, including names, email
addresses, order histories, phone numbers, mailing addresses, and birthdays. And it’s not just retail
consumers who are at risk. Healthcare giant UnitedHealthcare recently issued warnings following a
mobile app breach that exposed member information. Between February 19, 2023, and February 25,
2023, suspicious activity on the app potentially led to the release of sensitive data, including names, ID
numbers, dates of birth, addresses, dates of service, provider information, and insurance details. These
breaches should serve as a stark reminder that cybercriminals are actively exploiting vulnerabilities in
mobile applications, capitalizing on lax security measures.
The prevalence of such breaches highlights the pressing need for comprehensive mobile security
strategies. Traditional security measures often fall short when it comes to safeguarding mobile apps.
Mobile Application Security Testing (MAST) programs frequently fail due to poorly defined security
requirements and a reliance on outdated web application security testing (AST) tools. The successful
MAST programs of today involve comprehensive policies founded on industry standards, developer
education, and purpose-built automated testing tools.
As organizations rush to adapt to digital transformation and agile app development practices, security
often takes a backseat to speed. Traditional web AST tools are notorious for generating false positives,
and manual testing approaches can impede the pace of agile methodologies. To deliver secure mobile
apps faster, organizations must leverage automated tools developed by mobile experts, integrate them
seamlessly into their development workflows, and configure risk-based policies based on industry best
practices, such as those defined by OWASP. OWASP has long been celebrated as a highly respected
industry standard for web application security. However, as the popularity of mobile apps surged, it
became evident that the risks and attack surfaces in the mobile domain fundamentally differed from those
in web applications. This realization demanded a fresh approach to mobile app security testing, one
tailored specifically to the unique challenges posed by mobile platforms. For a comprehensive guide on
building and executing a risk-based security policy using industry standards like the OWASP Mobile App
Security (MAS) Project, be sure to explore the NowSecure resource, “An Essential Guide to the OWASP
MAS Project.”
Skyrocketing mobile app usage for everyday organizational processes necessitates Mobile AST to
mitigate the costly consequences of data breaches, which can include financial losses, system downtime,
and severe brand damage. Failure to apply security testing best practices often results in published
mobile apps that collect and inadvertently leak vast amounts of personal identifiable information (PII),
potentially violating critical data protection regulations. In fact, recent findings from Pixalate, a leading
fraud protection, privacy, and compliance analytics platform, paint a concerning picture of children's
privacy within the mobile app landscape.
According to Pixalate's Q1 2023 Children's Privacy Risk Report, a comprehensive analysis of nearly
1,000 popular U.S.-registered mobile apps in the Apple App Store and Google Play Store revealed
alarming statistics regarding compliance with the Children's Online Privacy Protection Act (COPPA). Out
of the 859 U.S.-registered apps likely subject to COPPA in the Google Play Store and Apple App Store,
a staggering 23% (193 apps) were found likely non-compliant with COPPA's disclosure obligations.
Approximately 4% (33 apps) failed to comply with COPPA's online notice provision by not posting a
Cyber Defense eMagazine – October 2023 Edition 109
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.