Modern Mobile App Security and In-App Protection: Learning from the Gartner Market Guide
In 2018, mobile malware attacks nearly doubled and mobile phone account takeovers increased 79%. Because consumers perform more day-to-day tasks via mobile devices and apps, the mobile channel has become a more appetizing target for criminals.
As mobile threats increase in prevalence and sophistication, more financial services, retail, and media organizations are equipping their mobile apps to defend themselves with app security technology. In its “Market Guide for In-App Protection” published earlier this month, Gartner states that “self-defending applications have become crucial.” The guide contains a wealth of information about in-app protection solutions with recommendations for security and risk management professionals, a comparison of features and functionalities, and write-ups on 19 representative vendors, including OneSpan. It’s a great resource for any organization looking to strengthen the defenses of their mobile apps.
In-app protection solutions are technologies implemented within an app to make it more resilient against a variety of mobile threats such as repackaging, malware, script injection, cryptojacking, SMS grabbing, and more.
Because mobile apps run on a wide variety of untrusted mobile devices of varying levels of security, mobile apps are a great use case for in-app protection. Gartner recommends that organizations:
"Choose in-app protection for critical and high-value applications that run within untrusted environments and move software logic on the front end. The most common use cases will be mobile apps, single-page web apps (especially consumer-facing ones), and software on connected devices.”
Mobile App Security Evolution: In-App Protection Beyond App Hardening and Anti-tampering
Witnessing the growth in mobile threats, Gartner clients have been asking for a more comprehensive set of app security capabilities in the past year. In response, Gartner expanded the scope of their report to include multi-factor authentication, runtime application self-protection (RASP), risk analysis, and more capabilities. They have since renamed the category “in-app protection.”
Gartner categorizes in-app protection capabilities into prevention, detection, and “other” capabilities, many of which are new to this year’s guide:
- Prevention: Hardening Capabilities
Gartner describes prevention capabilities as follows:
“Prevention capabilities are also referred to as application hardening. They can be considered passive and dissuasive measures that increase the level of effort required for the attacker to carry out an attack. Prevention capabilities mainly consist of various code obfuscation and white-boxing techniques.”
- Detection: Anti-Tampering Capabilities
Gartner describes detection capabilities as follows:
“Detection capabilities focus on reconnaissance of the surrounding environment of the app (e.g., the device or the server) to determine whether this environment can be trusted.”
- Other Capabilities
Gartner includes the following as examples of other capabilities:
- Runtime Application Self-Protection (RASP)
- Multifactor/Out-of-band (OOB) authentication
- Risk analysis
Why is In-App Protection Important in a Modern Mobile App Security Program?
The real argument here comes down to speed and expertise. In-app protection is a set of tools that can be shared with developers, so they can more quickly integrate security and authentication functionality into their mobile apps. In Sonatype’s 2019 DevSecOps Community Survey of 5,558 professionals involved in DevOps, development, and security, 47% of respondents reported deploying applications multiple times per week. That increased cadence of releases likely contributed to 48% of respondents also stating that their developers believe that security is important, but don’t have enough time to spend on it.
Even if a mobile app developer does have time for security, the greater challenge is ensuring it’s done properly. A study published last year found that 78% of 70 Android developers were not able to complete a realistic obfuscation task. My point here is not to disparage developers (which by the way will not get you anywhere in improving your mobile app security program). Most mobile developers are experts in Android and iOS development and driven by the business to produce better features more quickly. They’re not typically app security experts. Developers want to do the right thing, but they need education, such as secure code training and tools that make security more efficient and effective like mobile app security testing tools and in-app protection.
For example, one of the largest banks in the world publishes and continuously updates thousands of mobile apps, but they couldn’t find enough developer time or expertise in-house to provide a level of security that was up to their standards. They came to OneSpan looking for solutions that could help them increase the security of their mobile apps without affecting the deployment frequency they’d established to maintain their competitive edge. They chose OneSpan’s in-app protection capabilities to bolster their app’s security to a level they report would be impossible on their own.
Response to the Report
I for one applaud Gartner’s expansion of the scope of their Market Guide. More needs to be done to secure mobile apps and protect users against fraud. The expanded scope also validates the approach OneSpan has taken with our Mobile Security Suite since its inception – a complete toolkit for securing mobile banking apps. From the beginning, we’ve built Mobile Security Suite to provide a complete set of static and dynamic security technologies and authentication capabilities. These capabilities make it easy for developers to natively integrate proven, trustworthy security and authentication functionality into their Android and iOS apps.
Gartner, Market Guide for In-App Protection, 3 July 2019, Manjunath Bhat, Dionisio Zumerle
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.