Get Ahead of These Four Mobile App Security Trends in 2023
This blog explores:
- While we’ve seen an increase in the prioritization of mobile app security, the industry is still in the early stages of shifting in the right direction.
- Due to the ongoing discovery of new vulnerabilities, we’ll continue to see greater advocacy for mobile app sec best practices and new security solutions on the market. Developers should thoroughly vet these solutions to ensure they offer robust protections and are developer-friendly.
- Regular mobile app security testing is the most effective way to achieve the level of visibility needed to shift your security strategy from reactive to proactive.
It’s time to look ahead at 2023 mobile app security trends so we can hit the ground running. What should developers and security professionals prepare for in the coming year?
Let’s start by taking a quick look back. While there was increasing recognition around the importance of mobile app security in 2022, the industry is still in the early stages of shifting toward best practices. We continue to see too many instances in which security is being deprioritized, pushed toward the end of the software development lifecycle, or left entirely to the end user’s operating system.
We can see the results of this approach in the steady stream of security breaches being brought to light. For example, a recent study of 150 mobile finance apps revealed that at least one critical security vulnerability could be found in 84% of Android and 70% of iOS applications.
To mitigate risk, developers will need to take a more active role in mobile application security in 2023. We have compiled the four mobile app security trends we predict will have a significant impact on the mobile app industry and some tips for how you can get ahead of them.
Prediction #1 - New mobile application vulnerabilities will be uncovered
Widespread security vulnerabilities have been found in many mobile apps that are currently on the market, proving (once again) that the operating system’s standard security measures aren’t as comprehensive as one might hope.
There’s no better example of this than the 1800+ publicly available apps that were found to contain hard-coded AWS credentials. These access tokens allowed entry to AWS cloud services and Amazon Simple Storage Services, a flaw that neither the iOS or Android operating systems were able to detect or resolve. As a result, one company exposed more than 15,000 customers’ corporate and financial records, employees’ personal data, and intranet files.
These AWS access tokens weren’t the first of such discoveries, and unfortunately, they won’t be the last. As awareness around mobile app security spreads, researchers will uncover more (and likely more sophisticated) mobile security vulnerabilities in the coming year.
Prediction #2 - Developers will stop relying on rooted and jailbroken device detection
In the past, developers relied heavily on jailbreak and root detection mechanisms to indicate a potential threat and trigger an app’s defenses. While it is a common practice, there are three primary reasons we recommend focusing on more robust techniques:
- Some individuals use a rooted or jailbroken device for non-malicious reasons. Automatically triggering security mechanisms, like crashing or booting them from the app, can negatively impact their user experience.
- Reverse engineers continue to develop increasingly sophisticated evasive techniques, making it easier for threat actors to bypass jailbreak/root detection.
- New privilege escalation exploits will continue to emerge. For example, the new iOS tool Trollstore makes it easier than ever for someone to download modded apps without jailbreaking or rooting their device.
In 2023, developers should seek mobile app security solutions that go beyond jailbreak/root detection. Instead, focus on those that have the ability to detect advanced threats and provide multiple layers of robust mobile app protection.
Prediction #3 - Advocacy for mobile app security best practices will continue to build
Due to the exposure of new mobile application vulnerabilities and awareness of inadequate security mechanisms, like the ones mentioned above, we’ll continue to see greater advocacy for mobile app sec best practices next year.
Recently, Google and the App Defense Alliance began advocating for OWASP, an organization that provides free resources on mobile application security best practices. OWASP also refactored its Mobile Application Security Verification Standard (MASVS), emphasizing the importance of integrating security testing throughout the entire development process.
With these big players joining forces, we predict a new wave of interest in the adoption of OWASP standards, as well as a greater push for certification or other attestation of testing for mobile applications.
Prediction #4 - Developers will need to assess new mobile app protection solutions carefully
Because of the building momentum around mobile app security, we can also expect to see an increase in mobile application protection solutions on the market, many of which will claim to make security “instant” or “easy.” While these newer entrants may help you check security off of your development checklist, few ultimately provide the level of protection required to prevent reverse engineering and tampering.
Developers and security professionals will need to assess solutions carefully, ensuring their protections are robust enough for the threat model they’re protecting against. For example, it’s important to understand the implications of investing in wrapper-based mobile app protection (sometimes cheaper and easier to apply) versus compiler-based protection (offers more dynamic, layered protection).
We recommend prioritizing solutions that offer comprehensive and layered mobile app protection, like Guardsquare’s protection solutions iXGuard (iOS) and DexGuard (Android).
What you should take from these mobile app security trends
All of these predictions add up to one thing: development and security teams who prioritize security throughout the development process will be ahead of the curve in 2023.
In order to shift from reacting to threats to proactively preventing them, developers will need visibility into potential vulnerabilities. This is most effectively achieved by integrating security testing earlier in the software development lifecycle. By scanning a mobile app early and often, developers will be able to detect and address vulnerabilities real-time, rather than facing a long, complex list generated by annual pen testing — or worse, an active breach exposing sensitive data or a modded version of the app making its way onto the market.
Tools like Guardsquare’s dev-friendly AppSweep integrate seamlessly into current workflows, empowering developers to automate mobile app security testing. In addition to quick and thorough scans, AppSweep also provides developer-focused and actionable feedback to inform next steps.
To get a head start on these 2023 mobile app security trends, check out Mobile App Security IS Cybersecurity for security best practices and other tips.