2018: Mobile App Security Outlook

2017 was an interesting year for mobile app security, including extensive activity around ransomware, cryptocurrencies and mining apps, rootkits and bootkits, and trojans. Beyond mobile we saw numerous breaches including the likes of Gmail, Docusign, Verizon and Equifax, where Equifax subsequently pulled it’s mobile apps post-breach due to finding previously undiscovered vulnerabilities.

So what will 2018 hold? Let’s take a look at a few trends.

There’s more smartphones than ever.

The stats aren’t in for Q4 yet, but 17Q3 saw a 2.7% increase in smartphone shipments, with a total of 373.1 million smartphones shipping in the quarter. More smartphones means more app consumption, and more individuals and end users exposed to application vulnerabilities and malicious activity. We expect to see continued smartphone growth across the world.

With more smartphones in the market, and with that more companies supporting BYOD policies, we see an increased risk if organizations don’t have the appropriate security mechanisms in place.

There’s more mobile apps than ever.

According to Statista there was 3.5 million applications in Google Play as of December 2017. Apple App Store typically trails Google Play, but a good estimation is around 3 million apps. The number of applications being created, whether they be games, consumer apps, or business apps, does not seem to be slowing down. With massive new trends like Augmented and Virtual Reality we’re seeing an onslaught of new applications that capitalize on this new tech. Additionally, almost every major brand has an application, and we expect it to be the norm that your brand, whether big or small, has an application.

The ongoing concern with app development is the trade off of time-to-market vs secure development. The security market has to respond to this tradeoff with solutions that simplify and automate the security analysis, ensuring it fits within the devops and development lifecycles.

Mobile Payments and Purchases

While mobile payments are remaining relatively flat, they do represent as much as 5% of payments. We don’t expect this to grow exponentially in 2018, but as payment capabilities increase in ease of use, such as being able to make payments from an Apple Watch, we do expect an increase in 2018. In contrast, more and more people are making online purchases from their phones, with Shopify indicating that a whopping 64% of all purchases from the recent Black Friday sale were carried out on a mobile device. With the convenience to shop from your couch, train, or just about anywhere, we only see this increasing in 2018.

For applications that take payment and personal information it’s key to ensure that the app is secure and cannot leak data or transfer unencrypted data. With standards like GDPR coming down the pipe there will be large monetary impacts for organizations that don’t comply.

Cryptocurrencies & Cryptojacking

It’s worth specifically calling out cryptocurrencies separately from mobile payments. 2017 saw a slew of mobile device and app impacts related to cryptocurrencies and the trend of cryptojacking. Cryptojacking is the process of hijacking computing cycles on your device for the purposes of mining cryptocurrency. One of the worst offenders even physically damaged phones as it consumed 100% CPU for extended periods of time.

We see no sign of this trend slowing down. As of this writing the aggregate cryptocurrency market cap has topped $700 Billion, with over 1000 currencies in existence, and shows no sign of slowing down.

Smarthomes and Control Applications

Last on our watchlist of trends are smarthomes and the plethora of hardware and software that is showing up to automate homes. Everything from washing machines to coffee makers are now connected to the internet and represent threat vectors for home networks. In addition to this, each of these devices comes with mobile applications to monitor and control functionality.

We only see this trend accelerating in 2018, and our recommendation is to be watchful of vulnerabilities and exploits that exist in control applications.

Our Recommendations

We may have painted a dark picture, however, It’s not all bad news for 2018. Security vendors (including ourselves) are making great strides in automating security assessments and building them into the secure software development cycle. Additionally, app stores are continuing to embed better security checking to applications are vetted at the source.

This, however, will not catch everything, and we urge organizations to perform security assessments of both 3rd party apps and applications created in-house.