The digital landscape is exploding with mobile apps as they become an essential element for businesses to meet consumer expectations, with the Apple Store now offering 1.96 million apps and the Google Play store boasting 2.87 million apps. On top of this, a whopping 148.2 billion mobile, desktop, and web apps were downloaded in 2023. More than 52,000 new apps were released on Google Play in February 2024 alone. This surge in accessibility presents a growing security concern; the likelihood of an app being attacked over a 4-week period rose from 57% in 2023 to 65% in 2024 (Digital.ai 2024 Application Security Threat Report). 

Take the analogy offered in “The Dark Knight.” When the Joker enters the bank to commit his heist, he is met with several obstacles: the people in the lobby, the security guards behind the counter, the door to the safe room, the act of locating the safe, and the act of finding the combination to the safe – all before the police arrive. But imagine if the safe already existed in the Joker’s hands, and he had unlimited time to either crack the code without the distraction of security or pesky police – that’s what it’s like trying to protect client-side applications today. 

Client-side apps, by nature, contain blueprints that break down how to access guarded and proprietary information, and these apps live in the hands of the public – a public that includes threat actors seeking to exploit vulnerabilities. Democratization of open-source tools like Frida and Ghidra also makes it easier for threat actors to reverse engineer apps. With tools like these growing increasingly sophisticated and popular, the process of application inspection and malware creation becomes even more simple. Code obfuscation, along with other embedded security measures, can create obstacles to stop threat actors from “finding the combination”. 

Obfuscating the Blueprints: How Enterprises Should Be Securing Apps in the Wild

The situation created by client-facing apps demands a proactive approach. Embedding security throughout the development process, gaining real-time visibility into at-risk apps, and implementing automated threat responses are crucial first steps. However, for tangible results, enterprises should consider these specific security guards: 

·         Unsafe environment guards: These verify if the app runs on a secure platform, preventing exploitation through rooted/jailbroken devices, emulators, or malicious apps. Digital.ai 2024 Application Security Threat Report’s data show that well over half of all mobile apps are run in unsafe environments. 

·         Application integrity guards: These ensure the app’s code and resources haven’t been tampered with, safeguarding against potential modifications. Android apps had a likelihood of 84% suffering from attacks on app integrity in 2024 and IOS apps had a 29% likelihood. 

·         Instrumentation detection guards: These identify attempts to debug the app or manipulate it with tools like Frida, effectively stopping such attacks in their tracks  

·         Obfuscation guards: These further enhance security by making the app’s code more difficult to understand and exploit.

The risks of avoiding app safeguards are high for enterprises. A 2023 IBM report states that the global average total cost of a data breach is $4.35 million, and the consequences do not nearly end there. This raises the question: Why haven’t more enterprises prioritized app security from the offset? 

The answer to this question is unclear, but what remains evident are the ramifications of releasing unprotected apps into the wild. These security risks impact all industries. However, the stakes become existential for financial applications, one of the most targeted sectors, with a 67% likelihood of attack due to the potential financial rewards associated with success. Breaches of highly sensitive personal banking information can trigger a financial and legal nuclear winter. Imagine massive fines, crippling lawsuits, and a complete erosion of consumer trust – these are all potential outcomes of a successful attack. 

Similarly, gaming applications face a staggering 76% attack rate, often fueled by the potential for notoriety and in-game rewards.  Financial services and gaming industries stand as stark case studies – not just for the heightened risks they face, but also for the security measures that can be implemented. By examining the threats these industries confront, other sectors can proactively safeguard their own applications. 

Looking Forward: Keeping Blueprints Secure in the Era of AI 

While threat actors constantly refine their tactics, enterprises have a powerful arsenal of tools to combat them. The future provides even more promise with the rise of AI, with The Global AI in Cybersecurity Market estimated to grow from USD 22.4 billion in 2023 to USD 60.6 billion by 2028 (21.9%).  

AI will continue to aid threat actors in various ways, but in the same way AI can be used as a weapon, it can also be used as a tool for enterprises. Particularly in threat intelligence, AI can be used to glean insights from the petabytes of threat data now available to organizations that are monitoring threats to apps in the wild. 

In this current climate of AI Spy vs. AI Spy, it is important to stay one step ahead; those enterprises with the most proactive data scientists and security postures that utilize the latest technological advancements will end up on top.

You may also like…

Report: Occurrence of specialized app attacks quickly rising

Q-Day prepping: What businesses can do now to address quantum security risks

Report: Majority of IT teams don’t have visibility into technology assets