App security refers to the practices and policies to shield high-value mobile applications from reverse engineering, tampering and other app-centric attacks. App security includes application hardening to obscure code, runtime application self-protection (RASP) and self-healing measures, White-Box Cryptography to encrypt critical data & keys, and real-time app threat telemetry for closed-loop threat intelligence.
Mobile App Security Threats
Mobile App Security Issues
Protecting customer, business and IP data should be at the center of every businesses’ consumer app development and IT acquisition strategy. Securing applications and data against exploitation is key to preventing brand damage, financial loss, intellectual property theft and government penalties. Unfortunately, traditional cybersecurity approaches don’t provide the protection necessary to protect mobile applications. They are based on securing the network perimeter and focus on attacks and intrusions with technologies like anti-virus and web application firewalls (WAF). In many cases applications are simply not designed with the idea of including protection, or supporting compliance requirements, from the inside out – security simply isn’t in the purview of developers looking to build great apps.
Mobile App Security Best Practices
Consumer App Security
For customer-facing applications, businesses have trusted their security to coding practices, any number of internal security tests and app penetration testing. These are certainly must-have capabilities since the most effective security is about building defense in layers. But what these traditional security layers miss completely is protecting the actual app code before it is deployed into a zero-trust world.
Even in cases where app protection solutions have been used by businesses to protect mobile apps, they can only protect against what is known at the time they are deployed. Most current app security solutions don’t possess the ability to understand how protections are holding up “in the wild” and provide insight into new threats in real time that can be countered in time to stop them before they go viral.
Customer-facing apps are valuable assets since they are the endpoint for customer interaction. But this same endpoint can also be exploited by bad actors through reverse engineering. Reverse-engineered unprotected apps can deliver an understanding of the app’s code logic and open the door for theft of personally identifiable information (PII), intellectual property (IP), and allow back office attacks via compromised APIs and exposed communication keys. Additionally, redistributed apps compromised with malware can capture user IDs and login credentials to commit follow-on fraud.
Protecting consumer-facing mobile apps requires the ability to make app code extremely difficult to reverse engineer, ensure critical data and key security, and report real-time app threat status. Enabling these capabilities requires three defensive layers to adequately address the emerging threat landscape:
- Application protection using a configurable guard network methodology to obscure code and harden the application and to enable Runtime Application Self-Protection Security (RASP), tamper resistance and self-healing measures
- White-Box Cryptography to encrypt and protect critical communication keys and data
- Real-time threat analytics to provide an understanding of the threat posture of apps running in the wild
Business Productivity App Security
IT teams face different issues when trying to protect corporate IP, customer data and enforce governance polices. Use of custom mobile productivity apps has been a game changer, greatly improving productivity for employees, contractors and partners by allowing access to corporate IT assets. But the proliferation of these apps used by employees, contractors and partners running on unmanaged devices is cause for real concern for corporate IT security and governance teams. Managing the deployment, on-going maintenance and updating and data security for these apps can be a daunting task.
Unsecured productivity apps deployed by an organization pose as significant a threat to the business, similar to any customer facing app running in the wild. This threat creates a number of IT management issues in trying to find effective ways to deploy these apps to maximize adoption and maintain security and governance. Mobile device management (MDM) has been a traditional means for overcoming these threats, but over time has become unworkable given the number on non-employees required to have app access and the number of personal devices whose owners will not accept the intrusive nature of MDM.
Protecting business productivity apps requires them to be:
- Onboarded to a mobile application management platform and inspected to ensure they are free of malware and privacy risks
- Wrapped with analytic, management and security policies to allow IT teams to manage governance at the app level to enforce enterprise single sign-on, app usage and analytics, data wiping, app-level VPN, app-expiration, copy/paste disable, jailbreak detection, and more
- Distributed to users via corporate-branded enterprise app stores to maximize distribution control and user adoption