SOURCE: Approov
New Findings From Approov and Osterman Research Reveal Inadequate Investments in Runtime App Security and Data Protection.
“The State of Mobile App Security in 2022,” a succinct report from Approov and Osterman Research, uncovers an alarming array of mobile app and mobile app API security problems and issues.
The report makes clear that mobile apps are now “essential” or “absolutely core” to the success of most businesses, and a substantial majority of organizations would suffer costly consequences should an attack succeed. Nonetheless, most mobile apps driving business and customer interactions are not sufficiently protected against the threat of runtime attacks against mobile apps and APIs.
Michael Sampson, Senior Analyst, Osterman Research, said: “Mobile apps are key channels through which businesses serve their customers, and their importance to organizations has tripled in the last two years. Our research reveals that while enterprise app development and deployment are among an organization’s highest priorities, unfortunately, the runtime security of the app, its API secrets and the user data collected do not receive similarly high prioritization and budget. These findings raise serious questions, given that so many recent breaches have highlighted the risk of stolen keys and secrets being exploited by threat actors.”
The report raises serious concerns:
– 78% of company respondents have low confidence in mitigation against specific threats. They’re not fully confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.
– Third-Party APIs are used in most mobile apps, aren’t well tested for security, and often provide an attractive onramp for attackers. On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed are still storing API keys in the app code, presenting a massive attack surface for bad actors to exploit.
– Reducing threats resulting from hardcoded API keys is a priority. APIs are the “connective tissue” through which apps access data, execute transactions and perform a host of other functions. About half of mobile business apps store these API keys as hard-coded secrets, and the use of more than 30 third-party APIs per mobile app creates a significant runtime threat space. Fully half of study participants prioritized eliminating the storage of API keys and other hard-coded secrets in mobile apps.
– There’s poor visibility into security threats against mobile apps. More than half of respondents lack visibility into credit fraud attempts, the creation of fake accounts, stolen data, credential stuffing attacks, the use of stolen API keys to mimic legitimate interactions and requests, or the exposure of sensitive secrets.
– Runtime Threats Receive Lower Priority and Funding: The report finds that although protecting mobile apps and APIs at runtime is an enduring requirement, spending is still skewed towards “shift-left” efforts.
“Although mobile apps are an increasingly critical conduit for both commerce and communications, investment in runtime protection of apps and APIs continues to take a back seat. Moreover, poor practices continue unabated, such as the storing of hard-coded keys in a mobile app or device, which exposes app secrets to increasingly clever threat actors,” said Approov CEO David Stewart. “Given that mobile apps and APIs are increasingly the lifeblood of organizations, the practices and resource allocation towards runtime threats must be reconsidered – and quickly – before yet another wave of major mobile app breaches exposes both organizations and their customers to the damage and continual loss that inevitably result.”
To download “The State of Mobile App Security in 2022” or register for the July 26 webinar with Sampson and Stewart, visit https://approov.io/for/state-of-mobile-app-security-2022/
