Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last year
Despite high levels of security confidence, most organizations face repeated breaches
Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
While 93% of organizations told researchers they were confident in their capabilities, and 97% that they had up-to-date policies outlining mobile app security policies, 62% were breached in the past year, with an average of nine incidents each.
Just over half (52%) fell victim to a malware attack, 45% suffered data breaches or leaks, and 37% experienced unauthorized access to data. The same number suffered credential theft.
Much of the problem derives from pressure to accelerate release cycles, with 74% saying mobile app teams are increasingly pushed on time-to-market. Similarly, 71% of organizations admit this has compromised mobile app security.
“The data is clear, and the perceived trade-off between speed and security is a false choice that is costing organizations,” said Roel Caers, CEO of Guardsquare.
“When developers are under immense pressure to release new features, and security is seen as a roadblock, they are forced to sacrifice protection for time-to-market. This reactive, fire-fighting approach is unsustainable. What’s needed is a proactive, integrated strategy where security is an enabler, not a hindrance.”
Other security challenges included balancing security with app performance, cited by 47%, ensuring compliance (44%) and providing a seamless user experience (42%).
Mobile app security is improving
On the positive side, most respondents reported that they were currently using some core mobile app security capabilities such as data encryption (69%), mobile application security testing (63%) and threat monitoring (59%).
However, the report found low adoption of proactive defenses, with almost 70% of organizations failing to use obfuscation to protect their mobile apps, and 60% lacking Runtime Application Self-Protection (RASP).
This, the study warned, is leaving their apps vulnerable to both static and dynamic analysis. Nearly four-in-ten said they relied entirely on DIY security solutions or OS-level protections.
Meanwhile, the impacts of security incidents extend beyond the average reported cost. More than half of respondents (54%) reported application downtime, with 48% experiencing data leakage and 41% suffering a loss of consumer trust.
Worryingly, 85% of survey respondents agreed that a security incident is often the catalyst for a security purchase, with 58% of respondents citing security incidents, 47% partner or client requirements and 30% a failed penetration test or audit.
Researchers said means far too many organizations are taking action too late.
“As organizations face pressure to develop feature-rich applications that can be easily used from any device, attackers often target vulnerabilities in mobile applications,” said Melinda Marks, practice director, cybersecurity, for Enterprise Strategy Group.
“To stay ahead of threats and attacks, security teams need to take a proactive approach to mobile application security with the right tools."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Salesloft Drift hackers had access to company GitHub account for months before attacks
- Jaguar Land Rover u-turns on cyber attack containment claims
- FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countries
-
New UK schemes aim to boost number of women in tech – and keep them in the sectorNews The initiative includes work placements and plans to help women return to the workforce after time away
-
Global demand for this one AI role has skyrocketed 283% in the last year aloneNews AI trainers are now among the most sought-after specialists around the world
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
