Approov and Osterman Research today issued “The State of Mobile App Security in 2022”. Key findings include:
- 75% of companies say mobile apps are now “essential” or “absolutely core” to their success, up from 25% two years ago.
- 75% Would Face Substantial Consequences from a Successful Attack on Their Mobile App: An attack against APIs that rendered a mobile app non-functional would have a significant effect on 45 percent of businesses and a major impact on an additional 30 percent.
- 78% Have Low Confidence in Mitigation Against Specific Threats: Seventy-eight percent of respondents are not highly confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.
- Poor Visibility into Security Threats Against Mobile Apps:
- 60% lack visibility into credit fraud attempts
- 59 % lack visibility into the creation of fake accounts
- 56% lack visibility into data stolen from PIs by scripts
- 54 % cannot detect the use of stolen API keys being used to mimic genuine requests
- 53% percent lack visibility into credential stuffing attacks
- 51% lack visibility into secrets exposed on mobile platforms,
- 50 % cannot detect access by cloned, fake or tampered apps.
- Third-Party APIs Create Pathways for Threat Actors:
- On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed are still storing API keys in the app code – a massive attack surface for bad actors to exploit.
- 42% of organizations don’t require third-party developers to attest to following required standards, and 38% do not pen test the security of third-party code.
Aimei Wei, CTO and Cofounder of Stellar Cyber had this comment:
“Mobile apps are certainly a growing attack surface rapidly. Mobile app developers need to follow practices such as not hard code secrets or storing API keys in a secure place. It will help to reduce the attack surface. On the other hand, having visibility of runtime threats against mobile apps and APIs is critical, having a detection and response system that can provide visibility and detect attacks in real time will help to provide the overall coverage and fill the gap.”
Edward Roberts, VP of Marketing, Neosec added this:
“APIs are a very important part of mobile apps and their adoption is widespread. But APIs in mobile apps are focused on business to consumer API behavior and usage. There is another large attack surface of business-to-business APIs that connect commerce globally which are unfortunately largely unprotected. The vulnerabilities and potential abuse of these b2b APIs is increasingly concerning to security professionals worried about the risk exposure of their organization.”
Hopefully mobile app developers get the message and improve their code so that they are not threats. That helps them and it helps the rest of us.