Visibility into runtime threats against mobile apps and APIs still lacking

A new report from Osterman Research codifies the increasing dependence of businesses upon their mobile apps, and reveals a jarring disconnect between the strategic importance of apps versus the level of focus and resources applied to protect organizational apps against runtime threats.

“Mobile apps are key channels through which businesses serve their customers, and their importance to organizations has tripled in the last two years. Our research reveals that while enterprise app development and deployment are among an organization’s highest priorities, unfortunately, the runtime security of the app, its API secrets and the user data collected do not receive similarly high prioritization and budget. These findings raise serious questions, given that so many recent breaches have highlighted the risk of stolen keys and secrets being exploited by threat actors,” said Michael Sampson, Senior Analyst, Osterman Research.

Osterman Research surveyed 302 security directors and mobile application development professionals in the US and UK. Forty-eight percent of respondents are in companies of up to 500 employees, 42 percent are in companies of 501 to 4,999 employees, and 10 percent are in companies of more than 5,000 employees.

Mobile apps are increasingly important to business success

The importance of mobile apps to business success has tripled over the past two years. Three out of four respondents indicate mobile apps are now “essential” or “absolutely core” to their success, up from one out of four two years ago.

Three out of four organizations would face substantial consequences from a successful attack on their mobile app

An attack against APIs that rendered a mobile app non-functional would have a significant effect on 45 percent of businesses and a major impact on an additional 30 percent.

Low confidence in mitigation against specific threats

Seventy-eight percent of respondents are not highly confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.

Poor visibility into security threats against mobile apps

Sixty percent of respondents lack visibility into credit fraud attempts, 59 percent lack visibility into the creation of fake accounts, and 54 percent cannot detect the use of stolen API keys being used to mimic genuine requests. Moreover, 53 percent lack visibility into credential stuffing attacks, 51 percent lack visibility into secrets exposed on mobile platforms, and 50 percent cannot detect access by cloned, fake or tampered apps.

Third-party APIs create pathways for threat actors

On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed are still storing API keys in the app code, constituting a massive attack surface for bad actors to exploit. Third-party API threats against mobile apps aren’t as well understood by companies as they need to be. Third-party developers are not required to attest to following required standards at 42 percent of organizations, penetration testing is not conducted to evaluate the security of third-party code (at 38 percent of organizations), and the security of third-party APIs integrated into mobile apps is not vetted at 35 percent of organizations.

Although mobile apps in production are vulnerable to threats unmitigated during development, runtime threats nevertheless receive lower priority and funding

The report finds that despite the recognition that protecting mobile apps and APIs at runtime is an enduring requirement, spending is still skewed towards shift left and respondents indicate their organizations place the highest priority on secure development practices.

David Stewart, CEO of Approov, said: “This research reflects the overarching fact that although mobile apps are an increasingly critical conduit for both commerce and communications, investment in runtime protection of apps and APIs continues to take a back seat. Moreover, poor practices continue unabated, such as the storing of hard-coded keys in a mobile app or device, which exposes app secrets to increasingly clever threat actors.

“Given that mobile apps and APIs are increasingly the lifeblood of organizations, the practices and resource allocation towards runtime threats must be reconsidered – and quickly – before yet another wave of major mobile app breaches exposes both organizations and their customers to the damage and continual loss that inevitably result.”