A new report from Osterman Research documents the increasing dependency of enterprises on their mobile apps and reveals a glaring disconnect between the strategic importance of apps and the focus and resources devoted to protecting enterprise apps from runtime threats.
“Mobile apps are key channels through which businesses serve their customers, and their importance to organizations has tripled in the last two years. Our research shows that while enterprise app development and deployment is among a company’s top priorities, unfortunately the app’s runtime security, its API secrets, and the user data it collects don’t receive a similarly high priority and budget. These results raise serious questions considering so many recent security breaches have exposed the risk of stolen keys and secrets being exploited by threat actors,” said Michael Sampson, senior analyst, Osterman Research.
Osterman Research surveyed 302 security directors and mobile application developers in the US and UK. 48 percent of respondents work in companies with up to 500 employees, 42 percent in companies with 501 to 4,999 employees and 10 percent in companies with more than 5,000 employees.
Mobile apps are becoming increasingly important for business success
The importance of mobile apps to business success has tripled in the last two years. Three in four respondents say mobile apps are now “essential” or “absolutely central” to their success, up from one in four two years ago.
Three out of four companies would face significant consequences if their mobile app were successfully attacked
An attack on APIs that renders a mobile app inoperable would have a significant impact on 45 percent of organizations and a significant impact on another 30 percent.
Low confidence in defending against specific threats
78% of respondents are not very confident that their organizations have the appropriate level of security measures and protections in place to protect against specific mobile app threats.
Poor visibility into mobile app security threats
60% of respondents lack visibility into loan fraud attempts, 59% lack visibility into fake account creation, and 54% cannot detect the use of stolen API keys used to mimic genuine requests. Additionally, 53 percent have no visibility into credential stuffing attacks, 51 percent have no visibility into secrets exposed on mobile platforms, and 50 percent cannot detect access by cloned, fake, or crafted apps.
Third-party APIs create avenues for threat actors
On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed still store API keys in app code, presenting a massive attack surface for attackers. Third-party API threats against mobile apps are not as well understood by businesses as they need to be. Third-party developers are not required to confirm compliance with the required standards at 42 percent of companies, penetration testing is not performed to assess the security of third-party code (at 38 percent of companies) and the security of third-party APIs built into mobile apps is at 35 percent of companies not audited.
Although mobile apps in production are vulnerable to threats that are not mitigated during development, runtime threats are still given lower priority and funding
The report finds that despite the recognition that protecting mobile apps and APIs at runtime is an ongoing requirement, spend is still shifting left and respondents say their organizations place secure development practices at the forefront.
David Stewart, CEO of Approov, said: “This study reflects the overarching fact that while mobile apps are an increasingly critical channel for commerce and communication, investment in runtime protection of apps and APIs continues to take a backseat. In addition, bad practices continue unabated, such as B. storing hard-coded keys in a mobile app or device, exposing app secrets to increasingly sophisticated threat actors.
“With mobile apps and APIs increasingly becoming the lifeblood of businesses, practices and resource allocation against runtime threats need to be reconsidered – and fast – before another wave of major mobile app security breaches damages both businesses and their customers and subject to continuous loss that inevitably leads to it.”