We Know Why 85% of Mobile Apps Suck in Security. Do You?
If you are using a mobile app, you are screwed!
Let’s consider the following facts. 68% of enterprises  have reported mobile breaches which cost them $50 billion every year.
In other findings from Arxan ,
- 5% of popular apps that contain professional anti-hacking tools.
- More than 90% of top paid mobile apps have been hacked including 92% and 100% of Top 100 paid apps for Apple iOS and Android
- 40% and 80% of popular free Apple iOS and Android apps were found to have been hacked.
The above statistics means that 9 out of 10 apps on your smartphones and tablets can be hacked, and almost every popular app has already been hacked.
Don’t you think it is a bit absurd when you ask yourself this question: “Do I live in a house without a lock on its front door?”  Mobile app security is like the lock for your mobile app. You don't leave security decision about your house to your builders, so why are you doing that with your mobile apps?
Something is fundamentally wrong.
We’ve seen things you wouldn't believe.
In just the past 12 months, we’ve come across 100 mobile app projects at different phases: initial analysis, development, testing, deployment and after go-live. We’ve had conversations with more than 300 professionals active in the enterprise mobility space. From the enterprise side, we’ve talked to C-level executives, security officers, mobile directors/managers. We’ve also met founders, app developers, project and account managers from third-party development agencies.
We observed, asked questions, and uncovered the underlying problem that caused the current miserable state of mobile application security. Despite the fact that mobile breaches have cost enterprises a fortune, mobile, or to be precise mobile application, security still sucks.
The answer doesn’t lie in technology but in us.
Who shows up at your mobile app project?
A typical mobile app project consists of 3 different kinds of people: 1) mobile app owner; 2) software developers, UX designers, IT architects; and 3) security officers.
A mobile app owner is a non-technical person in charge of the direction of the project and the delivery of the app. S/He’s responsible for the business case, the budget, stakeholder management and not the low-level technical details.
Software developers, UX designers, IT architects are usually employed by the third-party mobile app development agency. Mobile app development agencies either have no security experts or have just lost their only one. Security experts are quite expensive.
App development agencies spend their resources and time on perfecting the look and feel of the mobile app; after all, that’s what they’re paid for.
And do you know why? Our digital generation is asking for, no, demanding it.
User experience determines the acceptance, thus the success of a mobile app.
The last group of people are security officers who are responsible for the overall information security within the enterprise. They are busy because there are few of them compared to other roles in the company. If they are not busy, something is wrong. Security officers are not invited to every business or technical meetings for reasons we’ll get into later.
In every Hollywood blockbuster, there is a hero who does superheroic things to save the day. The person who spearheads a mobile project, delivers a cool app or guides his enterprise through a digital transformation is seen as the hero. On the contrary, security officers are villains who cause trouble and make life difficult for the hero.
There are holes in your assumption
The mobile business owner thinks that the responsibility for application security rests with the developers and implicitly assumes that it will be completed during the course of the project.
Application developers, confident with their knowledge and skills, believe that they have "security solved," which often translates to a "good enough" approach based on their judgment. 
It is important to understand that application developers are not security experts. Their primary skill set is frontend coding and maximizing the User Experience (UX). They are trained to ensure the application contains required features and business functionalities. They are focused on the User Interface (UI) to make their application easy to interact with and beautiful to look at, and not so much concerned with security side meaning their judgments about what is appropriate in terms of security is far off course.
The average talk time at developers' conferences about security topics is only 3%. The status quo of this digital generation is that a mobile app has to be beautiful. Secure? Not so much.
This belief puts enterprises and their app users at risk.
Security officers have a completely different view on this topic, but unfortunately, they have very little power over the project, and often arrive at the scene too late.
They are firefighters, but from the project perspective, they are the saboteurs who derail the project with their “hypothetical” questions and construct barriers to prevent a mobile app from being released to production.
Application security obviously takes a backseat; if it even makes it to the backseat to join the ride.
This is a recipe for catastrophe
When the mobile app is finally completed and launched, the time bomb starts ticking.
Counting down to the day it will get hacked.
We live in a time of not IF but WHEN you will be hacked.
The invoices are paid and the developers are gone. The responsibility to operate the app now solely lies on the shoulders of the mobile app owner.
When a cyber breach happens, attackers encounter only “good enough” security implementation – assuming that average security survived throughout the project phase – from the people who don’t understand application security and didn’t get paid to do it.
The barrier is only green grass
There is no barrier for hackers who spend years or even their whole life living in the virtual world, looking for loopholes and weak points to exploit. We’re talking about an uneven chess game between a grand master and a weekend hobbyist. And the hobbyist is not PRESENT at the chessboard when the final check-mate is declared.
An industry average response time to a cyber breach can take up to more than 250 days. 
That goes to show how well we play chess. We only realize that we lost the game more than half a year later.
In 2015, we lost more than $50 billion  globally playing this game and this number will only increase.
A billion dollar question
There is a big opportunity and a huge prize for those who crack this problem and challenge responsible people to do the right thing and lead us on this digital journey not only through the grand user experience but also with a sense of safety and security in mind.
It won’t be easy, but it’s a step we have to take.
The digital world can be safe. We’ve built a safe physical world, so we can build a safe digital world too.
If you’d like to get a true assessment of the security of your mobile application and its backend, please check out our Mobile App Security Audit service. Alternatively, request a FREE Demo to know how we can assist you with the security of your mobile solutions.
Data anonymization tool for GDPRMore information
You Might Be Interested in Reading These Articles
As technology continues to advance, cars are increasingly becoming integrated into our mobile devices. Automotive brands are now releasing mobile apps, allowing users to connect their music streaming services, social networks, and search engines into the car’s system. One app that I’d like to highlight is NissanConnect, a mobile application from Nissan.
Published on May 28, 2015
The security of connected applications, IoT, or mobile platforms, is based not only on secure development, but also on widespread knowledge about info security. Every user should have minimum knowledge about security. Every public tender should demand security of the final product or service.
Published on September 15, 2015
TalkTalk, one of the largest providers of broadband and phone service in the UK, has recently admitted to being the victim of a large cyberattack. For those in the United States or in another country where TalkTalk’s influence isn’t as widespread, it could be considered on the same level as a Verizon or an AT&T data breach.
Published on November 10, 2015