November 29, 2023

    Top 4 Mobile App Security Trends for 2024

    The year is coming to a close, and now is the perfect time to consider where mobile app security is headed and what Guardsquare recommends mobile app developers and security pros should focus on in 2024.

    At the end of last year, we released 2023 mobile app security trend predictions, which included the discovery of new mobile application vulnerabilities and greater advocacy for leveraging mobile app security standards like OWASP.

    Mobile app usage continues to grow globally, with users spending an average of 5.5 hours per day on apps in 2022 and many estimates claiming the number will be even higher when 2023 comes to a close. Parallel to this growth is a spike in the discovery of new vulnerabilities, emphasizing the importance of implementing a comprehensive security strategy to protect your mobile app.

    To help organizations address the evolving risks in the threat landscape, we’ve compiled the four mobile app security trends we believe will impact the industry in 2024 — plus tips for getting ahead of them.

    Prediction #1: Developers will face challenges balancing malware protection and user experience

    Over the past several years, there have been many mobile malware attacks and instances of mobile app fraud, particularly in banking. In fact, between January 2022 and February 2023, global mobile finance app fraud amounted to an estimated $2.64 billion. This includes the Xenomorph Android malware targeting banking and crypto apps.

    The threat of mobile malware continues to loom, with many Android apps, in particular, possessing certain features that can lead to technical weaknesses (e.g., overlays and accessibility features), that can be exploited with malware.

    To combat malware and its effects on mobile apps, some security vendors promote simple protection features that claim to prevent malware — usually by blocking the weaknesses exploited by malware. One example of this approach could be preventing accessibility features from running in an app. While this would decrease accessibility feature abuse, it would also, of course, prevent many users with disabilities from using the app. Preventing accessibility features is rarely an option for mobile apps, both because it is unfair to users and because it can lead to legal repercussions. Instead, apps must implement security features that do not interfere with accessibility.

    Another example of blocking potential weaknesses is preventing an app from accessing screen-sharing or screenshot features. While this may block potential threats, it would impact user experience and potentially hinder the customer support process.

    As some developers implement overly broad protections like the ones described above, we anticipate many users will complain about poor app experiences or privacy implications. Ideally, this conflict will open a dialogue between developers and security specialists to find better ways to mitigate these risks.

    We recommend that mobile app developers take the following steps to mitigate the risk of malware affecting their apps:

    • Understand the attack techniques that malware relies on and focus on implementing countermeasures to address that risk.
    • Where possible, implement multiple layers of defense to protect your app.
    • Focus your security efforts on targeting and isolating the sensitive aspects of your application instead of applying unnecessary protections that could negatively impact the overall app’s user experience.
    • Consider server-side threat monitoring as a way to assess the impact of threats, so you can make informed decisions about which countermeasures to implement and evaluate the real risk of malware for your app(s).

    Prediction #2: More app developers will rely on threat data and its insights in guiding mobile app security strategy

    Mobile application protection strategies often rely on client-side reactions — like reports of the app crashing or degrading app functionality. However, relying solely on client-side reaction strategies does not provide sufficient information regarding the reverse engineering and tampering attempts against your apps. And without that information, it can be challenging to improve your app’s security in each successive build.

    As the benefits of mobile threat monitoring become clearer, more companies will leverage threat data to determine the protection strategies for their application(s).

    Developers should consider shifting some of the reaction strategy server-side, which offers more flexibility to correlate data and dynamically control actions taken. A banking app could, for example, use the data collected to risk-score a user account for fraud purposes or to disable or limit a user account until they have been contacted by a fraud department. This provides a much better user experience.

    We recommend mobile app publishers implement runtime application self-protection (RASP) checks throughout their mobile apps and harness the threat information collected to do the following:

    • Improve your app’s security posture by feeding the information collected from RASP checks into a threat monitoring tool, which can help you identify attack patterns and improve the security protections in the next release of your mobile app.
    • Feed your threat data into a security information and event management system (SIEM) or anti-fraud system and use your organization’s unique risk model to prioritize which server-side countermeasures to implement.

    Prediction #3: Google will continue efforts to build more trust and security in the Android ecosystem

    We’ve seen Google progressively enhance Android’s OS and APIs in an effort to reduce the risk of abuse. This includes the release of the following APIs: 9, 29, and 31. Each of these provides varying levels of security around overlays, with the strongest security provided by API 31, which allows developers to hide and automatically remove non-system overlays.

    Even with the release of these APIs, mitigating security threats for mobile applications requires a shared security model. This means that, in addition to taking advantage of Google’s updates, app developers still need to take precautions to protect their applications.

    In the next year, we expect to see continued updates to Android’s OS and additional security measures implemented in the Google Play Store to build greater trust and safety in the ecosystem. In fact, Google already announced a crucial security update for Google Play Protect. They will now offer real-time security scanning to detect emerging threats in apps. Additionally, Google is up-leveling its Data Safety section to offer transparent labeling of apps that have undergone independent security verification with industry standards.

    In the next year, we expect to see continued updates to Android’s OS and additional security measures implemented in the Google Play Store to build greater trust and safety in the ecosystem. In fact, Google already announced a crucial security update for Google Play Protect. They will now offer real-time security scanning to detect emerging threats in apps. Additionally, Google is up-leveling its Data Safety section to offer transparent labeling of apps that have undergone independent security verification with industry standards.

    • Protect: Implement multiple layers of code hardening and RASP.
    • Test: Utilize multiple analysis techniques to test your app’s code throughout the development process and during runtime.
    • Monitor: Collect and analyze threat data to improve your app’s security with each new build.

    Prediction #4: More vendors will collaborate on and support the OWASP MAS project

    The OWASP MAS project (and revised MASVS and MASTG) has launched a series of announcements and focused support in the last two years. Up to this point, a small group of contributors has spearheaded the OWASP MAS efforts to revitalize the project.

    In the past year, the security community, commercial organizations, platform providers, governments, and other stakeholders have started to give more input on the work on the MASVS and the MASTG. For example, see the App Defence Alliance’s introduction of the Mobile App Security Assessment (MASA), which allows developers and app publishers to have their apps independently validated against OWASP’s standards.

    With more vendors and experts fueling the MAS project, their efforts will gain momentum, exposure, and ultimately more value — leading to greater adoption of the mobile app security standards.

    We recommend that app developers consider MASVS and MASTG valuable resources for developing a mobile app security strategy. This should include using security tools that align with OWASP MASVS security recommendations, such as:

    Executive Summary (TL;DR)
    • The end of 2023 is the perfect time to consider where mobile app security is headed in the next year and what developers and security professionals should take into account in 2024.
    • Guardsquare predicts the next year will bring increased focus on malware protection in mobile apps, more reliance on threat data, improvements to Android security, and increased support of the OWASP MAS project.
    • We recommend that mobile app developers and security specialists continue to focus on mobile app protection, testing, and monitoring in 2024, alongside OWASP’s mobile app security standards to stay ahead of changes in the threat landscape.
    Tag(s): Android

    Guardsquare

    Ready to get a head start on implementing security best practices?

    Download the Defense in Depth: Layered Approach to Mobile Application Security report >

    Other posts you might be interested in