Updated: Feb 12, 2020
By Sam Bakken, Senior Product Marketing Manager, OneSpan
It is no secret that hackers and cybercriminals are targeting the mobile channel more aggressively today than
ever before. With the majority of Americans
now owning smartphones (81 percent) and using their mobile devices for more transactions, the likelihood of becoming a victim of a financially motivated mobile attack has reached a new high.
Consumers are constantly exchanging large sums of money through mobile apps, and fraudsters are clearly benefitting from this trend. In 2018, consumers spent more than $100 billion on app store downloads, in-app purchases and subscriptions across industries such as banking, retail, hospitality, travel and tourism, to name just a few. Concurrently, mobile malware attacks and mobile account takeovers nearly doubled in that same year.
Unfortunately, part of the challenge surrounding mobile app security is that consumers often wrongly assume that all the apps they download have been thoroughly vetted and deemed secure. In reality, even apps available on the official Apple and Google Play stores can be compromised. Assuming that all available apps are safe can cause otherwise security-conscious consumers to lower their defenses and potentially compromise their own mobile devices.
The second part of the challenge lies on the app development side. Developing a successful mobile app is no easy feat. From a business standpoint, it is imperative to get an app built, tested and published as quickly as possible. However, in the rush to market, aspects of the app’s security can be overlooked or sometimes not even included in the overall development budget. Intentionally or not, organizations sometimes prioritize having a superior, “frictionless” user experience over having the best in-app security built in.
The good news is that mobile app developers no longer need to choose between security and user experience. New mobile appsecurity technologies can enable developers to not only betterprotect their apps and their users from cybercriminals, but also deliver the frictionless mobile experience that today’s consumers desire – all while significantly reducing development overhead.
Providing a More Secure AND Frictionless Mobile Customer Experience
When a business’ mobile apps are vulnerable or consumers have their devices and personal information compromised due to mobile security weaknesses, the consequences can be devastating to the business and consumer alike. Consumers can become victims of identity theft and other forms of fraud, and businesses can suffer damage to their brand reputation and may face harsh regulatory fines.
Organizations and the mobile developers creating their apps must adopt a comprehensive mobile app security program. Typically, this would consist of building security into design requirements, providing secure code training and resources to developers, performing regular security testing throughout the development life cycle, and periodically conducting penetration testing. But with today’s sophisticated cybersecurity threats, these methods are not enough. Mobile app developers must begin applying client-side security measures such as mobile in-app protection and advanced app shielding/runtime app self-protection technologies, in order to better reduce the risk of fraud, malware, account takeover and other types of attacks in the mobile channel.
Mobile App Shielding
Some organizations may mistakenly trust that the Android or iOS operating systems alone will protect their mobile apps. However, neither of these operating systems will ever be completely secure. Applying additional layers of security such as mobile app shielding must be taken to ensure security.
Mobile app shielding is a collection of technologies integrated into the mobile app’s code to protect it against malicious activity and safeguard sensitive information from cybercriminals, protecting both consumers and the organization. If a user’s device becomes infected with malware, app shielding will detect it and prevent the malicious code from running, enabling mobile apps to protect themselves even in untrusted device environments such as compromised, infected or jailbroken phones. Best of all, this technology is non-intrusive, remaining mostly invisible to users, yet continuously monitoring for any suspicious behavior and only activating when necessary.
In addition to mobile app shielding, businesses must also focus on natively integrating multifactor authentication into their apps. Tools like facial recognition, fingerprint readers and even behavioral biometrics are becoming more commonly used in mobile apps to strengthen security in the mobile channel and help prevent fraud.
Biometric authentication techniques, such as fingerprints and facial recognition technology, are becoming more common mobile apps. However, behavioral biometrics is one of the most disruptive new technologies in identity management.
Traditional biometrics authenticate users using static biometric markers (e.g. a fingerprint or retina pattern), butbehavioral biometrics analyze the way a user interacts with their mobile device – from the way they hold their devices, to finger pressure, swipe patterns, keystroke dynamics and more. Behavioral biometrics compares this information to a previously developed user profile, or “behavior fingerprint,” to continuously authenticate the user throughout their use of the mobile app. It can look at the user’s navigation behavior both within the app and on the device, examining their typical speed of browsing and accuracy of movement. Behavioral biometric data can also be combined with server-side analytics, enabling an organization to draw insights from data collected from different sources, including groups of other users, events and third-party partners.
Because behavioral biometrics are continuously working behind the scenes and do not require any additional actions from the user, they help deliver a strong baseline of security coupled with a completely frictionless user experience. At the same time, there are no privacy concerns because a user’s behavioral data is converted to a mathematical representation within their profile, which is meaningless to criminals.
Any organization that wants to provide strong identity verification and multifactor authentication, in addition to a frictionless user experience, should consider adding behavioral biometrics as part of a multi-layered approach. By performing continuous, real-time analysis in the background, behavioral biometrics ensures a positive mobile experience for legitimate users while detecting and stopping fraudsters.
Gartner recently predicted that by 2022, at least 50 percent of successful attacks against mobile apps could have been prevented using in-app protection. With mobile attacks on the rise, there’s no doubt that organizations and their mobile app developers must implement robust mobile app security programs. Client-side security measures such as mobile app shielding and multifactor authentication technologies can strengthen security in the mobile channel and help prevent fraud. At the same time, these technologies don’t require developers to compromise on user experience in order to provide stronger security, providing the best of both worlds for mobile app developers and consumers alike.
About Sam Bakken
Senior Product Marketing Manager, OneSpan
Sam is Senior Product Marketing Manager responsible for the mobile app security portfolio at OneSpan, a global leader in software for trusted identities, e-signatures and secure transactions. Sam has nearly 10 years of experience in information security. Prior to OneSpan, Sam managed content strategy at mobile app security provider NowSecure and before that led go-to-market strategy for a portfolio of vulnerability management and security testing products and services from Trustwave SpiderLabs.