The UK Government recently announced its guidance and proposed voluntary code of practice for developing secure mobile applications and making them safer for end users.
The UK Cyber Minister Julia Lopez has said: “With so much of our day-to-day activities now online, consumers should be able to trust that their money and data is in safe hands when using apps. And these measures will not only boost our digital economy but also protect people from fraud.”
As a mobile app security business, we applaud the government for turning its attention to this vital topic. Especially at a time when there’s a little bit of misinformation out there about exactly what app protection is and what robust security looks like.
Here at Licel we tend to tell our clients that mobile app protection should form part of a holistic approach to security. It should be one aspect of a wider security strategy that your company is implementing.
When we talk to them about mobile app security, how do we explain it?
Well, we begin by talking about pre-deployment considerations and security by design processes. This, we explain, should be followed by a range of activities such as security assessments, tamper proofing, obfuscation, encryption of sensitive parts of the app, virtualisation, and providing a safe environment for cryptographic operations (a software-based security module).
But it doesn’t stop there. You also have to think about preventing communication interception and stopping bad actors from running a static or dynamic analysis to explore the inner workings of your app. Not to mention the need to mitigate the impact of malware attacks which are increasing in both number and sophistication.
All of these app protection measures should complement server-side security, the protection of public APIs, plus real-time app lifecycle monitoring and threat intelligence (including information about insider threats). The collection of reliable data about the risks your app faces is vital for fraud scoring and prevention.
Every risk executive I speak to tells me that addressing compliance, visibility, operational and strategic risks is their number one priority. And this is a more complicated task than ever when there are security solutions out there that not only fail to solve problems but can actually introduce new ones.
Marketing messages can be a little murky when you dig beneath the surface. Instead of trusting them outright, be sure to pick vendors who are undertaking regular independent security evaluations, and those that have certificates from corresponding bodies that back this up. Be wary, too, of companies claiming their product will block every single cyber attack out there. The truth is that there’s no such thing as 100% security. In fact, you should make sure that your corporate security protocols account for that. Make sure you have proper disaster recovery procedures in place. And think about limiting the number of security services that might affect your publication process in case you have to urgently push an update - by simply being not available, or when being attacked.
Like everything else in our lives, cybersecurity is something of a balancing act. You need to figure out what is essential and what isn’t.
In this light, it’s fantastic to see the recent guidance from the UK Government about keeping end users safe from mobile threats. As security professionals, we value the thorough analysis that has been carried out and appreciate the amount of work that has led to these actionable insights.
The guidance comes with realistic time frames for the implementation phase. But we know from our partners that some of the measures are already being implemented, which is great.
We would only emphasise the importance of educating end-users alongside applying best practices. This is crucial for the successful implementation of the new security guidance.
Gradual permission control has already been implemented by key industry players. The next step would be to adopt an authorisation procedure for apps that ask for sensitive permissions, such as location or access to the microphone or camera. That way you’d only be able to ask for these permissions if your application had gone through a security assessment and held the relevant certification.
Another important thing to mention is third-party libraries. Again, some platform vendors already include SBOMs into app distribution containers which allows them to identify security vulnerabilities post deployment in an automatic fashion. But this kind of practice needs to become commonplace.
The last few years have taught us that bad actors are becoming highly skilled in sniffing out vulnerabilities in apps and targeting them mercilessly. This can result in successful attacks that can be ruinous to business reputations. But on a micro level these attacks can also be immensely damaging to individual lives.
Some great work is being done within the cybersecurity sector to make everyday digital activities safer for people. But rules established at the highest level like those from the UK Government are great for educating and making sure there’s a base level of security being implemented.
As always, please do get in touch if you want to chat further about this or to discuss what the new rules in the UK mean for your application.
And for more information about the government’s recent announcement on new app security measures, see:
https://www.gov.uk/government/news/new-rules-for-apps-to-boost-consumer-security-and-privacy.
Ivan Kinash.
CEO of Licel.
