Mobile Apps in the Corporate Threat Landscape

The Growing Threat Hidden in Your Apps

I often discuss mobile apps from a cybersecurity and risk perspective with my clients, friends, family and random people in the street. In today's interconnected world, mobile apps have become essential for business operations. They offer convenience, boost productivity, and enable seamless communication. However, they also bring significant vulnerabilities that can compromise a company's security. As mobile app usage continues to rise, understanding the threats they pose and how to mitigate them is crucial for protecting your business.

The Ubiquity of Mobile Apps

Mobile apps are ubiquitous. From communication tools and productivity suites to financial services and customer engagement platforms, these apps are vital in modern business. This widespread adoption, however, has expanded the attack surface, providing cybercriminals with numerous entry points into corporate networks. We have seen on many occasions multiple levels of countermeasures bypassed by the compromise of a forgotten mobile application.

Why Are Mobile Apps an Afterthought?

While businesses often rigorously test publicly facing applications like client portals, platforms, and other SaaS solutions, mobile apps frequently remain an afterthought. The vulnerabilities inherent in mobile applications are unique, so much so that the Open Web Application Security Project (OWASP) has established a separate Top Ten list specifically for mobile app security.

OWASP Mobile Top Ten

The OWASP Mobile Top Ten highlights the most critical security risks in mobile applications:

1. Improper Platform Usage: Misuse of platform features or failure to use platform security controls.
2. Insecure Data Storage: Storing sensitive data insecurely on the device.
3. Insecure Communication: Poorly secured communication channels between the app and backend servers.
4. Insecure Authentication: Weak authentication methods that can be easily bypassed.
5. Insufficient Cryptography: Use of weak encryption methods or improper implementation of cryptographic algorithms.
6. Insecure Authorisation: Flaws that allow users to access data or perform actions they shouldn't be able to.
7. Client Code Quality: Poor coding practices leading to vulnerabilities.
8. Code Tampering: Lack of protection against modifications to the app's code.
9. Reverse Engineering: Insufficient obfuscation of code, making it easier for attackers to understand and exploit.
10. Extraneous Functionality: Inclusion of hidden backdoors or debugging functions that could be exploited.

Why Conduct a Separate Application Security Test Against Mobile Apps?

Given the unique risks outlined by the OWASP Mobile Top Ten, it is essential to conduct separate, specialised security tests for mobile applications. Standard web application testing often fails to account for the specific challenges of the mobile environment, such as device storage, different communication protocols, and the diverse operating system landscape. Ensuring comprehensive security requires dedicated mobile application security testing.

The Cost of Mobile App Breaches

The financial and reputational impact of a mobile app breach can be devastating. According to a study by Ponemon Institute, the average cost of a data breach in the UK is around ￡3 million. This includes not only direct financial losses but also costs related to lost business, regulatory fines, and reputational damage. Companies like TalkTalk and British Airways have faced massive fines and a significant drop in customer trust following data breaches.

Impact on Business Continuity

The risks associated with mobile applications can severely disrupt business operations. Malware infections can cripple devices, leading to downtime and loss of productivity. Data breaches can result in financial losses, legal repercussions, and damage to the company's reputation. Ensuring business continuity requires robust mobile security strategies to prevent and respond to such incidents.

Regulatory and Compliance Considerations

Regulatory frameworks such as GDPR, CCPA, and HIPAA impose stringent requirements on data protection and privacy. Additionally, the EU’s Digital Operational Resilience Act (DORA) sets out specific requirements for financial entities to ensure operational resilience. Furthermore, industry standards like CIS (Centre for Internet Security), NIST CSF 2.0* (National Institute of Standards and Technology Cybersecurity Framework 2.0), ISO 27001, and PCI DSS (Payment Card Industry Data Security Standard) mandate specific security controls and practices.

Non-compliance due to mobile application vulnerabilities can lead to hefty fines and legal challenges. Businesses must ensure that their mobile security practices align with these regulations and standards to avoid penalties and safeguard sensitive information.

* NIST CSF 2.0, like DORA and CIS, places a strong emphasis on third-party risk management. As regulation, compliance standards, and frameworks continue to overlap and merge, they are all addressing managing third-party risks which have become increasingly critical.

The Impact and Importance of DORA for UK Businesses

The Digital Operational Resilience Act (DORA) is particularly significant for UK businesses operating within or in relation to the EU financial markets. DORA aims to ensure that financial entities can withstand and recover from all types of ICT-related disruptions and threats. This includes a focus on stringent cybersecurity practices, risk management protocols, and regulatory compliance. For UK businesses, aligning with DORA means implementing robust security measures, ensuring operational continuity, and maintaining trust with stakeholders by demonstrating a commitment to resilience and compliance.

Third-Party Risk Management

Managing third-party risks is crucial as mobile applications often integrate with external services and platforms. Vulnerabilities in third-party software can lead to significant security breaches. Effective third-party risk management involves thorough vetting, continuous monitoring, and regular security assessments of all third-party providers to ensure they adhere to the same stringent security standards as your organisation.

Continuous Monitoring

Continuous monitoring is essential for identifying and responding to security threats in real-time. Implementing robust monitoring systems can help detect unusual activities, potential breaches, and vulnerabilities as they emerge, enabling swift action to mitigate risks. Continuous monitoring also ensures compliance with regulatory requirements and supports the overall security posture of the organisation.

Full Audit Reporting and Evidence-Based Actions

Comprehensive audit reporting and evidence-based actions are critical for maintaining transparency and accountability. Detailed reports on security assessments, incident responses, and compliance audits provide valuable insights into the organisation's security status. These reports enable informed decision-making and help in developing effective Mobile Device Management (MDM) policies that address identified risks and vulnerabilities.

Making Informed Decisions Before Developing MDM Policy

Before developing a Mobile Device Management (MDM) policy, it is essential to gather and analyse data from security assessments, continuous monitoring, and audit reports. This information helps in understanding the specific risks and challenges associated with mobile devices within the organisation. Informed decisions ensure that the MDM policy is comprehensive, addressing all potential security threats and aligning with regulatory requirements.

How Mobstr.io Helps with Regulation and Compliance

Mobstr.io is uniquely positioned to address the specific security needs of mobile applications. By combining automated tools and manual risk-based assessments, Mobstr.io can identify and mitigate vulnerabilities effectively. Our approach ensures thorough testing and robust security measures, tailored to the distinct challenges of mobile apps.

Mobstr.io's Mitigation Strategies:

• Comprehensive Vulnerability Scanning: Automated tools to detect common vulnerabilities and misconfigurations.
• Manual Penetration Testing: Expert testers perform in-depth analysis to uncover complex security issues that automated tools might miss.
• Security Best Practices Implementation: Recommendations and assistance in applying the best security practices specific to mobile applications.
• Regular Security Audits: Continuous monitoring and periodic audits to ensure ongoing security and compliance.
• Integration with MDM, PowerBI, and SIEM: Mobstr.io can integrate with Mobile Device Management (MDM) systems, PowerBI for data visualisation, and Security Information and Event Management (SIEM) solutions to provide a comprehensive security framework.

Conclusion

As mobile applications continue to play a critical role in business operations, understanding and mitigating the associated risks is essential. By adopting a proactive approach to mobile security, companies can protect their sensitive data and maintain the integrity of their digital ecosystems. The convenience of mobile applications should not come at the cost of security; with the right measures in place, businesses can enjoy the benefits while safeguarding against potential threats.

Let Us Help You Today

Protecting your organisation in the age of mobile technology requires vigilance, awareness, and a commitment to security best practices. Mobstr.io offers a complimentary assessment of one of your mobile applications to demonstrate its effectiveness. Let us help you safeguard your digital assets and ensure the continuity of your business operations. Contact us today to schedule your complimentary Mobstr assessment.

We would love to help you.

Vin Maguire has been in the cybersecurity and risk sector since the late 90's and is currently the Cybersecurity Lead at Vambrace Cyber Security in Leeds.