IDC

Download Spotlight
Region Focus: Worldwide

The Need for Unified Mobile Application Defense in Production Apps

August 2024 | us52472024
Katie Norton

Katie Norton

Research Manager, DevSecOps and Software Supply Chain Security

Jim Mercer

Jim Mercer

Program Vice President, Software Development, DevOps, and DevSecOps

Product Type:
IDC: Spotlight
Sponsored by: Appdome
Download Spotlight

Modern mobile application protection should be easy for developers to implement, based on real-time data, and enhance user experience. It should also adapt to continuously evolving cyberthreats.

At a Glance

  • Mobile applications are at the center of consumers’ and employees’ daily lives. But they have also become a primary vector for attack and a source of sensitive data leakage.
  • Protections for mobile applications security, privacy, fraud, and compliance cannot be solely addressed through traditional web security measures, legacy RASP SDKs, a testing-only approach, or tools that require significant effort from developers to implement.
  • Modern mobile application protection uses data-driven, machine learning automation to facilitate comprehensive security, privacy, fraud, and compliance protections without requiring developers to be security experts.

Introduction

 Organizations rely on mobile applications to serve customers, drive revenue, empower employees, and expand their businesses. For many of them, a significant portion of their revenue comes from mobile apps. These organizations cannot afford to deliver insecure mobile applications that expose sensitive data, violate privacy, enable fraud, and fail compliance. The financial implications of insecure mobile applications are significant, potentially resulting in financial loss for customers and decreased revenue and shareholder value for the company. In fact, inadequately protected mobile applications can lead to legal liabilities and regulatory compliance violations, which could severely impact the bottom line. A failed mobile security and protection strategy will damage brand reputation, customer trust, and company value.

Mobile apps have become prime targets for cyberattacks. Executives, product owners, developers, and security teams must understand the high risk of ignoring this reality. The value of mobile innovations is diminished when attacks and data leakage harm consumers, brands, and revenue. A unified mobile application defense offers a practical solution that can be implemented to mitigate these risks and protect the value of mobile innovations. It’s the key to ensuring that the potential of mobile apps is not overshadowed by security concerns.

Consumers and employees increasingly demand that mobile application suppliers diligently protect their personal information and privacy. Trust is paramount; individuals need assurance that their data is secure and that the companies they interact with are proactive in safeguarding against cyberthreats. As cyberattacks become more sophisticated, the onus is on the mobile application supplier to implement comprehensive security protocols, ensuring data integrity and privacy. By prioritizing these protections, organizations not only comply with regulatory requirements but also build and maintain crucial trust with their customers and employees.

Modern mobile applications run in the wild across a diverse set of mobile devices and are not protected in a datacenter environment like web applications. This increased exposure leaves them subject to different types of threats and attacks than web applications, including:

  • Common threats like jailbroken (iOS) or rooted devices (Android) that remove OS protections, exposing sensitive data and enabling attackers to compromise mobile apps more easily
  • Bad actors with hundreds of powerful, freely available, and easy-to-use tools like Frida, Shamiko, and Magisk at their disposal to attack and compromise mobile applications, using techniques and methods such as reverse engineering, dynamic binary instrumentation, static binary patching, code or memory injection, shell code, rootkits, custom bootloaders, kernel modification, malware frameworks, virtualization, emulators/simulators, application players, and malicious proxies
  • Man-in-the-middle (MitM) attacks, where a bad actor secretly intercepts a communication session between two parties and takes control of it
  • The rise of social engineering attacks, such as voice phishing (vishing) and SMS fishing (smishing), which drive account takeovers and fraud
  • New regulations or bans for mobile application usage in specific geographic locations to remain in compliance or to thwart fake accounts in banking, retail, betting/gaming, social/dating apps, and more
  • Bot attacks, account takeovers, and other means to compromise network connections and web application firewalls (WAFs), leading to fraud and mass data harvesting

 As a result, mobile application owners, developers, architects, and security teams need to look at mobile application defense holistically, addressing the full mobile application life cycle of build, test, monitor, and respond. With this battery of attacks and the need for a full life-cycle approach, mobile application security measures cannot be limited to classic developer security training, point product protection, software development kits (SDKs), web application security testing (AST), and network infrastructure monitoring.

Modern mobile application protections for security, privacy, fraud, and compliance must span the full life cycle and must be easy for developers to use without the need to be security experts.

 Mobile application security testing (MAST) can address some of the security gaps that web application security tools fail to cover. However, MAST doesn’t provide any boost to developer productivity nor does it uncover real-time and evolving threats and attacks. It also doesn’t guard against new attacks like social engineering, bots, geo, and fraud, which are only truly known when the mobile application runs in production. Even when organizations use MAST solutions, mobile applications will ship with known security issues because of short mobile release cycles and the pressure to satisfy the demand for new features, maintain high app store rankings, and support the latest devices and operating systems. 

For those that recognize this gap and seek to implement proactive mobile application protections, monitoring, and response, many current data and mobile application protection tools, such as SDKs or specialized compilers, require significant work from developers to implement protections. This time-consuming process slows the release of mobile applications, leaving them without adequate runtime protection or with superficially implemented protections that allow easy bypassing or disablement. The effectiveness of SDKs or specialized compilers cannot be guaranteed since the company providing the SDK has no control over it or its proper implementation in a mobile app. While SDKs or specialized compilers may provide some level of protection, they can often conflict with each other. In addition, they typically do not include any runtime instrumentation to collect real-time telemetry data in production applications on actual attack and protection patterns that can be used to drive effective response.

Gaps in Modern Mobile Application Protection

IDC research finds that while over 75% of organizations use MAST to test their mobile applications, monitoring mobile application security in production is identified as the most significant challenge in securing them (see Figure 1).

FIGURE 1: Organizations Are Challenged by a Lack of Production Visibility

Q. What are your two biggest challenges with mobile application security?

n = 239
Source: IDC’s DevSecOps Adoption, Tools, and Techniques Survey, January 2023

Inadequate mobile application protection at runtime can create dangerous security risks for the organization building the mobile application and its users. Even if a developer delivers a securely coded application, it can still be vulnerable because secure coding does not protect against reverse engineering, tampering, bot attacks, social engineering, fraudulent activities, and more.

Organizations need automated mobile application protection in the development life cycle with monitoring and response in production, which provide a layer of protection that does not solely rely on the code itself. Effective mobile security requires a layered defense covering multiple areas that may be vulnerable to attack.

Modern mobile application security, privacy, fraud, and compliance protections must allow developers to easily enable full life-cycle protection without needing to be mobile application security experts and without requiring extensive code alterations or tedious configuration changes. Coding mobile application protections takes time, skill, and resources, and the effort needs to be repeated for every new build, making a guaranteed and repeatable security outcome even harder. Ideally, modern mobile application security should use a “policy as code” approach, with security defining the policies. Then security, privacy, fraud, and compliance are automatically built into mobile apps using those policies in the DevOps pipeline, with zero coding by developers. Organizations must be able to confidently and repeatably deploy mobile security protections at the speed of DevOps.

Deploying mobile application protections must also be a data-informed process. With the litany of attacks against mobile applications, real-time cyberattack and cyberthreat data from mobile applications in production can help ensure adequate protection. Cyberattacks and cyberthreats are continuously evolving, so a mobile application with runtime protection and enforcement that was secure in the last release may not be so in the next one. In addition, organizations can leverage the same threat data to collect comparative data over time and prove that the protections are working properly and delivering value to the business.

Further, leveraging real-time attack data allows mobile developers and security teams to react quickly to threats, reducing the time between discovery and remediation without needing to rely on application crashes for handling security events that result in poor user experiences. Modern mobile application protection requires flexibility, granularity, and control over the user experience when a cyberattack occurs.

Benefits

A key benefit of modern mobile application protection is that it can enable organizations to ensure the security, privacy, fraud, and compliance of their mobile applications comprehensively across the full life cycle without requiring developers to possess deep knowledge in these areas. A lack of security expertise is a significant impediment; the top challenge organizations face in adopting DevSecOps is developer security knowledge (see Figure 2). Modern mobile application protection enables developers and security teams to make data-informed decisions to ensure the protections they deploy are the right ones. Rather than needing to be security experts, developers and security teams know what to implement from real-life data; they can use a “policy as code” approach to quickly adjust and automatically apply protections in the build cycle.

FIGURE 2: Developers Do Not Have Time to Become Security Experts Too

Q. What is your top organizational challenge concerning DevSecOps adoption?

n = 311
Source: IDC’s DevSecOps Adoption, Tools, and Techniques Survey, January 2023

Modern mobile application protection can also provide security and development teams with a shared, validated understanding of mobile application protection across security, privacy, fraud, and compliance. IDC research found that the top change organizations are making to address future security breaches is improving coordination between security teams and developers. Modern mobile application protection enables security teams to enforce the security model with policy as code without requiring significant work from developers. Using this approach, both development and security teams can effectively secure consumer trust by automatically ensuring compliance throughout the mobile application life cycle.

Trends

The race to build capabilities that enable daily code releases in production will accelerate over the next several years. IDC predicts that the percentage of large organizations deploying code to production every day will increase from 5% in 2021 to 70% in 2025 due to the widespread implementation of mature DevOps practices. As the pace of application development continues to accelerate, so will the number of applications. IDC predicts that by 2028, there will be 1.02 billion new logical applications worldwide.

The exponential growth of applications has also created unprecedented security breaches. In IDC’s 2023 DevSecOps Adoption, Tools, and Techniques Survey, the number of organizations indicating they experienced a security breach increased 21 percentage points over the prior year’s survey. With the development of more applications deployed faster than ever before, the available attack surface for cybercriminals increases, making it easier for them to exploit vulnerabilities and launch attacks.

New and emerging compliance regulations, such as the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR), have data sovereignty, privacy requirements, and protections for personally identifiable information (PII) with which mobile applications must comply. IDC found that 24% of organizations experienced a sensitive data exposure breach in 2023. In the past few years, Google and Apple have made significant updates to privacy requirements for mobile applications in their app stores. Google added data safety requirements to the Play Store, including the App Defense Alliance (ADA) with the Mobile Application Security Assessments (MASA) specification with third-party independent security reviews (ISRs). Apple rolled out Application Tracking Transparency, Privacy Nutrition Labels, and Privacy Manifests. The increased scrutiny of mobile application user data requires proper runtime protection against bad actors to be built into the application and run throughout the mobile application life cycle.

The expanding mobile attack surface, growing cyberattacks, rapidly expanding fraud, and evolving regulations are all accelerating the need for modern mobile application protection and enforcement solutions.

Considering Appdome

Appdome, which launched in 2012, provides a unified mobile application defense platform for building, deploying, monitoring, and responding to mobile threats and attacks. The platform delivers mobile application protections without coding, SDKs, or agents. To acquire these protections, users upload an Android binary (.apk), Android Application Bundle (.aab), or iOS binary (.ipa) without requiring source code.

The Appdome Platform works with all applications, frameworks, and programming languages; it does not require source code changes to the application; and through policy as code, it automatically and quickly generates the code, libraries, and frameworks necessary for the protections through a patented machine learning engine. Customers can choose the protections they want on their mobile application and may combine protections in any way. Appdome also provides built-in logic that prevents mutually exclusive features and recommends framework or language-specific protections based on the uploaded application. Users can choose template protections for reuse or sharing across multiple mobile applications or mobile development teams.

The Appdome Platform offers over 340 mobile protections, including:

  • App security that includes data encryption, jailbreak, root detection, MitM attack prevention, code obfuscation, antireverse engineering, and runtime application self-protection
  • Antimalware that includes logging attacks, malware and binary instrumentation detection, Frida instrumentation (i.e., code injection), and Secure Sockets Layer (SSL) pinning bypass
  • Anticheat capabilities such as cheat engine and platform detection, application modding detection, injection attack prevention, and fake application and trojan defense
  • Bot defense, which is a comprehensive antibot defense that works with any WAF in a mobile brand’s network
  • Geocompliance, including fake GPS detection, anti-VPN protection, subscriber identity module (SIM) swap detection, and geofencing
  • Social engineering protection to disrupt vishing and other social attacks before they harm the consumer or business
  • Antifraud capabilities to block spyware, accessibility service abuse and automated transfer system (ATS) malware, autotapping, keystroke injection, and other nonhuman events to generate fake events, fake accounts, and fake transactions
  • Endpoint protection in mobile apps built for internal employee use, where the enterprise needs agentless protection of mobile endpoint devices, users, and apps, especially in “bring your own device” (BYOD) scenarios

The Appdome Platform can be used standalone or as a plug-in to build application protections using CI/CD tools, including Azure DevOps, Bitrise, CircleCI, GitHub, GitLab, Jenkins, and Travis CI. Security release management (SRM) provides visibility, management, and control over all CI/CD pipeline mobile application protections.

Appdome Build2Test allows the use of mobile apps inside automated mobile application testing suites, such as Sauce Labs, BrowserStack, BitBar, Firebase, and LambdaTest. It logs all security events for the developer to track and monitor. This in-app defense model recognizes the unique signature of these mobile testing services and enables easy testing without issuing a security alert or forcing the application to exit, giving development teams the ability to fully test their mobile applications automatically before release.

The platform produces an Appdome Certified Secure certificate identifying the protections successfully applied in each build of the app. It provides a complete system of record for mobile application security, privacy, fraud, and compliance, including full build history, the specific plug-ins and features implemented, time stamps, build and app IDs, version history, hash functions, and signing information. Certified Secure also serves as a checklist for developers before release and verification, so security teams can ensure that all the required mobile application protections have been implemented before clearing the application for production release.

With Appdome ThreatScope Mobile XDR (extended detection and response), developers and security teams can access real-time attack and threat intelligence covering thousands of Android and iOS attack vectors. Telemetry deployment occurs in minutes and is both agentless and serverless. It can be deployed first to make informed decisions on what protections to use based on real-time threat and attack data, allowing the implementation of those new protections in minutes using the same system. Appdome Threat-Events enables developers to use detection and defense data to create and control users’ experiences with default and highly customized options.

Appdome MobileEDR (endpoint detection and response) enables organizations to protect mobile applications from build to download by dynamically applying EDR capabilities as part of the protections. Teams can automatically integrate agentless controls for unified endpoint management (UEM)/enterprise mobility management (EMM) platforms like Microsoft Intune and VMware Workspace ONE, extending protections and controls for BYOD scenarios when end users want their privacy respected and don’t want agents.

When mobile apps are in production, the Appdome Threat Resolution Center empowers mobile support teams to rapidly identify and resolve mobile cyberattacks and threats to get mobile users back into production quickly. When an attack or threat is detected, the Appdome-protected mobile app generates a context-specific ThreatCode with details of specific attack, app version, mobile OS, and device that support team can use to rapidly resolve the issue. An Appdome Threat Resolution Agent uses ThreatCode data with GenAI to generate smart prompts and optimized responses with output for the mobile support team to understand the threat and step-by-step instructions for that specific attack, app version, mobile OS, and device to help the mobile users resolve it fast.

Challenges

IDC recognizes that Appdome may face several challenges in the security marketplace:

  • Rationalizing that standard DevSecOps and XDR tools provide enough protection: Most DevOps and security teams that don’t fully understand the nuances of mobile security application hardening may think they have done their security due diligence using standard DevSecOps AST tools with third-party XDR SDKs. Convincing these prospects that they need additional protections for mobile applications can be tough.

    Unlike web applications, mobile applications do not run in a protected datacenter environment. Mobile devices run outside datacenters and firewalls, subjecting them to various types of threats and attacks. While this mindset puts the burden of proof on Appdome and requires prospect education, it also highlights a greenfield opportunity to offer new mobile protections to these inadequately protected applications.
  • Long-standing concerns about the latency of runtime protections: The performance of mobile applications is paramount, and mobile application users have zero tolerance for poor-performing applications — too many alternative competitive applications are available. With additional security protections taking place at runtime, customers and developers could be concerned about increased latency.

    Appdome does not require developers to add additional code to their applications. Its platform is designed for mobile application production runtime performance, including code optimization in the build cycle. The Appdome Platform uses a patented file system that optimizes storage application write performance and is built specifically for fast runtime responses. The company claims that the platform has processing times of less than 1ms.
  • Achieving name recognition and awareness among many different DevSecOps vendors: The DevSecOps and application security space is crowded, with some familiar, entrenched AST players; a handful of RASP SDK vendors; and a cacophony of different messages from a large collection of smaller vendors. This noise can make it difficult for Appdome to stand out and for prospects to understand its value proposition.

IDC forecasts that by 2028, the growth of mobile applications will drive the creation of over 1 billion new logical applications. This explosion of new applications offers Appdome an opportunity to distinguish itself in the narrower mobile application security market by focusing on its capabilities and value propositions. The market and industry need more than legacy RASP provides. The Appdome Platform includes a full suite of mobile application protections, including antifraud, antibot, antisocial engineering, geofencing, and geocompliance. The company states that it has over 340 distinct protections available out of the box.

Conclusion

Protecting modern mobile applications throughout their life cycle is essential to safeguarding user data, maintaining trust, complying with regulations, preventing financial losses, and ensuring the overall security and integrity of the application and the organization that develops it. It is not enough to rely on classic application security testing tools to properly secure today’s modern mobile applications.

Organizations need security enforcement and protection — not just testing.

Modern mobile application security must be easy for developers to use without the need to be mobile application security experts while providing deep protections that will defend against bad actors.

It behooves organizations that are looking to automate mobile application defense building inside the DevOps CI/CD pipeline to deliver mobile application security, antifraud, antimalware, anticheat, antibot, and other cyberdefenses in Android and iOS apps to consider how Appdome Platform can provide enhanced security for their mobile applications.

Message from Sponsor

Mobile developers and businesses grow successfully by building innovative five-star mobile apps with great user experiences. But attackers have recognized the global shift to mobile apps and are exploiting weaknesses of mobile app code running in the wild, putting everyone at risk. To counter, mobile developers and security teams have recognized they can continue to deliver great mobile experiences with highly effective modern mobile defenses built in. Modern mobile app defense requires an AI/ML platform-based approach that plugs into the CI/CD pipeline and spans the full mobile app lifecycle of build, monitor and respond. Through policy as code, security team gets the protection they need, developers get no code automation, the business gets fast dependable release cycles, ops gets real time production visibility, support teams get real time resolution, and mobile users get a great mobile cyber experience. Schedule your demo to see the power of Appdome Platform in Action.

For more information, please visit www.appdome.com.

The Need for Unified Mobile Application Defense in Production Apps

Download Spotlight

We use cookies to help improve our website. By continuing to use this website, you agree to the use of our cookie policy

We use cookies to help improve our website. By continuing to use this website, you agree to the use of our cookie policy

We use cookies to help improve our website. By continuing to use this website, you agree to the use of our cookie policy

We use cookies to help improve our website. By continuing to use this website, you agree to the use of our cookie policy