App developers need to focus on cybersecurity for app development.

App developers need to focus on cybersecurity for app development. (Image by Shutterstock)

How to improve cybersecurity in app development

Businesses today are investing more in developing mobile applications to cater to growing customer demands. While having an app to support the business can boost sales and revenue, building an app that is secure and stable is also a prerogative for businesses.

A secured app simply means a positive experience for the business. However, the problem today is many businesses have been developing apps just because the system allows them to. A quick check on Android’s Play Store will show numerous apps that have a variety of developers, each catering to a specific business.

A closer look at these apps will show you most don’t get a rating of more than 3 out of 5. While some may argue the ratings can be misinterpretation, consumer experience on social media sites towards the app of a particular brand paints a similar picture.

There are two main problems in app development today. The first is the features of the app itself. A lot of organizations develop apps that are not capable of supporting the demands of consumers, which in turn leads to a negative perception of the organization. The second, which is also the more concerning problem, is the security features of apps built today.

Cybersecurity vendors continue to detect and publish lists of hundreds of apps on the Play Store that have been compromised by malware or have other malicious programs hiding in them. The most common apps to have these problems include e-commerce, gaming and financial apps. But that does not mean others are not compromised. Cybercriminals are known to target apps that have vulnerabilities that can easily be compromised.

Malware can remain on apps for a long time

Malware can remain on apps for a long time. (Image by Shutterstock)

Cybersecurity in app development

So should there be rules or standards for app development? To understand more about this, Tech Wire Asia speaks to Jan Sysmans, Mobile App Security Evangelist, Appdome.

According to Sysmans, one of the most common assumptions most people in the industry have is that if an app is adequately protected, attackers will go somewhere else. However, in reality, it is not. In fact, based on Appdome’s research, the attacks never stop. Cybercriminals are always lurking out there.

Jan Sysmans, Mobile App Security Evangelist, Appdome

Jan Sysmans, Mobile App Security Evangelist, Appdome

For example, over the past few years, malware designed specifically to exploit the Android Accessibility Service event framework have emerged to be a major threat to mobile banking and other transaction based mobile apps. Common exploits include gaining unauthorized access to in app events, stealing PII, transaction and other sensitive information, performing or hijacking transactions, and evading detection. This unique class of mobile malware makes a dizzying array of information, techniques and exploits available to the attackers and fraudsters alike.

As such, to deal with this problem, Sysmans suggested that app developers would need to be ahead of the curve. This means they would need to understand the new threats and attacks leveled against their apps from the production environment. They can’t just rely on penetration testing because the production environment will show every area that needs to be fixed. From there, developers will have the ability to quickly version their security model and start adopting it.

“Cybersecurity teams have to start adopting developer best practices. For the longest time, the idea was that developers should adopt cybersecurity best practices. Put simply, there should be one or two people within the developer team who are becoming experts on the cybersecurity side. They can use the cybersecurity best practices in the development cycle.

However, the only way that cybersecurity is going to have a true seat at the table is when cybersecurity starts adopting DevOps best practices. Cybersecurity teams will then have an agile and rapid way to build their security model to protect against new threats and attacks that they were able to identify in production. We have seen these in the last couple of years,” explained Sysmans.

consumers want brands to prevent things from happening instead of compensating them

Consumers want brands to prevent things from happening instead of compensating them(Image by Shutterstock)

Different teams but the same goal

Sysmans further explained that cybersecurity teams have been often “sitting on the outside” when it comes to app development. For the simple reason that developers remain focused on improving customer experience to build greater apps. It’s all about growing the number of users, increasing session length, improving retention rates, maintaining high crash-free rates, reducing the overall cost, and increasing customer lifetime value.

“Nothing in these points to security. Now, if cybersecurity can actually be used as a differentiator to improve those metrics, it would be a different scenario. For example, how can security be used to improve session length? How can security be used to improve retention rates? How can security be used to increase customer lifetime value? That’s a completely different thinking process, versus the current scenario whereby cybersecurity is all about compliance,” said Sysmans.

Another interesting point highlighted by Sysmans is the need to secure apps during crucial periods when heavy traffic can be expected. This is most common during shopping festivals for e-commerce apps. The problem is though, security teams would be pushing security models to be implemented into the app, as the period is often targeted by cybercriminals.

However, given the need to run promotions and other campaigns, marketing teams may not be in favor of any downtime for app updates. And this is where Sysmans wants cybersecurity needs to be agile and rapid. Only then can they be able to connect directly to the DevOps workflow to ensure that security can be prioritized.

“This doesn’t disrupt and doesn’t break anything. The security team can easily version the security model, and control the security model, and all the developer sees is an API call. There’s no need for any additional work that they have to do. So, again, changing that mindset from how to do cybersecurity by going from compliance thinking to servicing our customers and creating better user experiences when bad things happen as well as when to protect our customers is key. That is what is I think the biggest shift there that cybersecurity has to make in app development,” added Sysmans.

App developers need to stop support for legacy operating systems.

App developers need to stop support for legacy operating systems. (Image by Shutterstock)

App development: Android vs iOS

Appdome’s annual survey on consumer expectations and mobile app security shows that consumers want brands to prevent things from happening instead of compensating them. Currently, most brands have big fraud and malware departments with budgets to reimburse customers. However, 85% of customers prefer brands to prevent such incidences from happening in the first place.

As the mind shift in customers has changed towards prevention, businesses that develop apps should also be able to detect and block malware and other malicious content from corrupting their apps. Most consumers also believe that it is the responsibility of the app maker to protect them against these threats.

“For brands, when it comes to mobile app security, they need to use the consumer. They need to remind consumers to be smart enough to not click a link and such. Malware has evolved in such a way that even people who are in the industry have a hard time figuring it out. The threat landscape is ever-changing.

As a brand, you cannot say that we have a security model that’s been implemented last year and be happy with that. You need to be constantly looking into and better understanding what the other threats are out there and try to understand how threats are evolving,” said Sysmans.

And this is where brands can also look at how they develop their apps for iOS and Android. As iOS has a more closed operating system, apps developed for iOS generally have stronger security features. While the latest versions of the Android OS also provide strong security features, the problem with Android is that its open operating system allows developers to run apps that no longer have significant security support.

Having the latest operating systems can enhance app security.

Having the latest operating systems can enhance app security. (Source – X)

For example, Android app developers can still build and run apps for mobile devices that are using older versions of Android. The problem here is these versions are also easily targeted by cybercriminals as they no longer have security updates.

“Google is putting a huge effort into closing down loopholes and protecting everything. And it’s up to the consumers to upgrade their operating system. It’s also up to the app makers to stop supporting old operating systems that are no longer supported by Google.

The idea of continuing to support Android five, six, or seven, because you still have a subset of customers there has to change.

It’s so much harder to build effective protections when you still need to be backward compatible. You’re also limiting what you can do because many of the new protections really don’t work very well with old operating systems. Hackers are aware of this and that’s why they like to attack people that way,” mentioned Sysmans.

At the end of the day, Sysmans believes the best way to ensure mobile security is to ensure users are operating on the least Android OS and iOS. These systems continue to be updated to protect users. And app developers also need to focus on ensuring their apps are capable of running on the updated operating systems.