Mobile is fast becoming the preferred method for individuals to access online services. Increasingly, this means that sensitive information is being stored on mobile phones. The change is highlighted by looking at the banking industry where over the last five years mobile banking has moved from being only a small percentage of total interactions to being the dominant channel.
Criminals are fast becoming aware of the value of data stored on mobile devices not just financial data but across a wide range of industry and sectors. These criminals are intelligent and highly resourced so can exploit weaknesses in mobile operating system and application security. It is not just the data held within mobile applications that is valuable to criminals; mobile applications provide a path straight through perimeter defenses of IT systems. This means that a weak mobile application will be the weak point in IT security systems. If an attacker can control a mobile application, they can use it make apparently legitimate requests of the supporting IT systems – comprising not just the mobile application but also the whole IT system.
Research suggests that half of mobile users will not take any steps to protect their devices2; and so-called operating system defenses are easily broken down. This means that mobile application developers need to assume that the devices their applications are running on have been - or will be - compromised. It therefore falls on the developers to take responsibility of making their applications protect themselves.
This paper will help developers, product managers and risk professionals to understand the steps required to secure mobile applications.