As mobile applications continue to grow in popularity, companies face increasing pressure to deliver new, exciting, powerful apps at a rapid rate. Naturally, this raises the issue of application security, especially as consumers now entrust a huge range of sensitive information to these programs.
For organizations pursuing mobile app development, it is imperative to stay abreast of the evolving nature of security threats in this area. No matter how exhaustive an expert's knowledge may be, changes will inevitably demand new approaches to achieve security.
Several of the most pressing mobile application security issues were recently highlighted by WhaTech contributor Jay Patel.
Arguably the biggest issue, according to Patel, is the prevalence of sensitive user data combined with a relative lack of authorization requirements. Many users now expect to enter login information only once, assuming this information will be saved for the future. This is a problem because the users' passwords become more vulnerable, and yet app developers must contend with the accelerating demand for convenience. Furthermore, the writer noted that if the mobile device is connected to the user's PC, a breach at one will quite possibly compromise the other.
That is why Patel emphasized the need to develop mobile apps that store sensitive data in an encrypted form. Encryption has always been a hallmark of application security, but this trend toward stored login information increases its importance.
Furthermore, Patel noted that weak cryptography is another key issue for developers to be wary of. Too often, he explained, developers turn to old, outdated algorithms in order to protect their applications from cyberthreats. This puts users at risk. While tight deadlines and budgets may make it difficult for developers to update their algorithms to feature the most advanced technology, such efforts are absolutely essential in an increasingly threat-filled world.
Another industry expert, Jeff Williams, recently pointed to the issue of unintended consequence within the realm of application security. Writing for Dark Reading, Williams emphasized that developers must be aware of the ways by which their security measures can potentially backfire.
In general, Williams explained, protection technology leads people to take greater risks. This is true in virtually every area of life – for example, cyclists wearing helmets tend to ride faster and more aggressively than those without, and the same is true for drivers wearing seat belts. The knowledge that there is something to protect them causes individuals to behave less cautiously, as they feel like there is less overall risk.
This same mindset can affect application security developers, according to Williams. If a developer knows that a new Web application firewall is in place, he or she may grow lax in regard to input validation. Another possibility is that an automated security testing solution yields so many false positives that developers effectively ignore any warning signs.
Ultimately, the problem is that developers' perception of security often surpasses the actual level of protection. When this occurs, they take unwise risks that put the organization and app users in danger of lost or exposed data.
An effective method for preventing such a state of affairs is to find and fix problems at the source – and not rely on something down the line for protection. Developers using static code analysis at their desktops, finding potential security issues as code is being written, can eliminate issues at the earliest possible point in life cycle, saving time, energy, and cost.