90% of Organizations Had a Mobile App Security Incident in the Last Year

Assessing Mobile Application Security, a new report of 500 global software engineers and developers conducted by Vanson Bourne, found that 88% of respondents have experienced a mobile app security incident in the last 12 months. These app developers release an average of 10 unique mobile applications per year and have identified an increase in attempts to modify, clone, or reverse-engineer them. Nearly all respondents (95%) recognize that mobile app attacks are becoming increasingly sophisticated.

While awareness of the need for mobile app security is certainly a good thing, few organizations are fully protecting their mobile applications from today’s depth and breadth of attacks. Many believe operating system (OS)-level protections are sufficient when these defaults alone are not enough to defend against sophisticated attacks from bad actors. Let’s explore some of the key findings from this year’s study, and how organizations can proactively enhance their mobile app security posture.

Mobile app developers overestimate their app’s security

Even though 91% of responding organizations feel they do not release unprotected mobile apps, the percentage of organizations reporting security incidents remains high. While 93% of organizations claim they understand the risks of releasing unprotected mobile apps, 67% believe that using the OS only (e.g. Android or iOS) is enough to keep mobile apps secure. Based on the report’s findings, relying on OS-level protections alone is not enough; organizations need to take a proactive, multi-layered approach to security.

The impacts of a mobile app security incident are significant, with organizations reporting the average cost of a single incident at just under $5 million. On top of financial loss, survey respondents experienced issues including mobile app downtime, data loss, data theft, and other impacts on users as the result of a mobile app security incident. Organizations can’t afford to be caught off guard by an unprotected or partially protected mobile app; doing so could result in major brand damage in addition to financial repercussions and loss of intellectual property (IP).

Developers often sacrifice security for speed-to-market

The pressure to continuously deliver and update mobile applications causes many developers to cut corners on security. Surveyed organizations are producing an average of 10 unique mobile apps per year, with 70% of organizations reporting they update their mobile apps at least once a month.

While 98% of organizations reported room for improvement in the level of security incorporated in their mobile application development process, many feel the modern pace of innovation is too fast to keep up. Organizations reported the biggest challenge with implementing and maintaining security controls was the pressure to continuously release new features (41% of organizations ranked this concern highest). Nearly 30% believe that investing in mobile app security will delay their time to market.

With this volume and pace of mobile app releases, it is important for organizations to balance security with speed. Leveraging third-party tools and best practices can address the risks associated with unprotected mobile apps such as loss of IP, revenue, brand trust, and more.

Taking action to protect mobile apps is a competitive differentiator

Even though organizations admit to challenges with the time and security talent it takes to protect their mobile apps, nearly all (98%) report purchasing or considering purchasing additional protection solutions to augment these limitations. Their motivations for adding protections include staying ahead of potential attacks (36%), demonstrating a security-first mindset (34%), keeping up with regulatory compliance requirements (29%), and addressing the increase in attempts to reverse-engineer and modify/clone mobile apps (28%).

In addition, many teams find that adopting a security-first mindset increases positive brand association. When security is fully integrated into the mobile application development lifecycle, it leads to a positive brand reputation. If users are confident their mobile app is secure, they are likely to be more willing to use the app for sensitive transactions. Nearly all (95%) respondents believe that prioritizing mobile app security acts as a unique selling point for their mobile applications.

Key takeaway: Implement multiple layers of security for mobile apps

Protecting mobile applications from constantly evolving threats is no longer a nice-to-have — it’s a must-have. Rather than risk the high costs of a security incident, teams should implement a multi-layered approach to mobile app security which starts at the code level before an app is released, and continues throughout the development lifecycle with ongoing testing and real-time security threat monitoring.

Contrary to popular belief, security doesn’t have to come at the expense of development time-to-market and user experience. It’s positive to see organizations prioritizing mobile application security, as well as embracing third-party tooling to extend the capabilities of their team where people's resources are stretched too thin. As mobile app attacks increase in volume and sophistication, incorporating secure coding best practices, in addition to the right tooling, can help organizations improve their overall security posture.

Originally published at https://www.guardsquare.com on April 26, 2024.