Visibility into runtime threats against mobile apps and APIs is still lacking

A new report from Osterman Research codifies the growing reliance of enterprises on their mobile apps and reveals a jarring disconnect between the strategic importance of apps and the level of focus and resources applied to protect organizational apps from threats. execution threats.

“Mobile apps are key channels through which businesses serve their customers, and their importance to organizations has tripled in the past two years. Our research reveals that while developing and deploying enterprise applications are among an organization’s top priorities, unfortunately, the application’s runtime security, its API secrets, and collected user data are not given not such a high priority and budget. These findings raise serious questions, given that so many recent breaches have highlighted the risk of stolen keys and secrets being exploited by malicious actors,” said Michael Sampson, principal analyst at Osterman Research.

Osterman Research surveyed 302 security managers and mobile app development professionals in the US and UK. Forty-eight percent of respondents work in companies with up to 500 employees, 42% in companies with 501 to 4,999 employees and 10% in companies with more than 5,000 employees.

Mobile apps are increasingly important to business success

The importance of mobile apps for business success has tripled in the past two years. Three in four respondents say mobile apps are now “essential” or “absolutely essential” to their success, up from one in four two years ago.

Three out of four organizations would face significant consequences in the event of a successful attack on their mobile application

An API attack that renders a mobile application non-functional would have a significant effect on 45% of businesses and a major impact on another 30%.

Low confidence in mitigating specific threats

Seventy-eight percent of respondents are not very confident that their organizations have the appropriate level of security defenses and protections in place to protect against the specific threats posed by mobile apps.

Poor visibility into mobile app security threats

Sixty percent of respondents lack visibility into attempted credit fraud, 59% lack visibility into the creation of fake accounts, and 54% cannot detect the use of stolen API keys used to impersonate genuine requests. Additionally, 53% lack visibility into credential stuffing attacks, 51% lack visibility into exposed secrets on mobile platforms, and 50% cannot detect access by cloned, fake, or tampered applications.

Third-Party APIs Create Pathways for Threat Actors

On average, mobile apps depend on more than 30 third-party APIs, and half of mobile developers surveyed still store API keys in app code, providing a massive attack surface for malicious actors to exploit. Third-party API threats against mobile apps are not as well understood by enterprises as they should be. Third-party developers are not required to certify compliance with required standards in 42% of organizations, penetration testing is not performed to assess the security of third-party code (in 38% of organizations) and the security of third-party APIs integrated into mobile applications is not verified in 35% of organizations.

Although mobile apps in production are vulnerable to unmitigated threats during development, runtime threats still receive lower priority and funding

The report finds that despite recognition that protecting mobile apps and APIs at runtime is an enduring requirement, spending is still skewed to the left and respondents indicate that their organizations place the highest priority on security practices. secure development.

David Stewart, CEO of Approov, said: “This research reflects the overriding fact that while mobile applications are an increasingly critical channel for commerce and communications, investment in apps and APIs continues to take a back seat. Additionally, bad practices continue unabated, such as storing hard-coded keys in an app or mobile device, which exposes app secrets to increasingly clever threat actors.

“As mobile apps and APIs are increasingly the lifeblood of organizations, practices and resource allocation to enforcement threats need to be reconsidered – and quickly – before another wave of breaches occurs. major mobile applications only exposes both organizations and their customers to the continual damage and loss that inevitably results.

Casey J. Nelson