Gartner’s recently published Avoid Mobile Application Security Pitfalls (July 27, 2020; Dionisio Zumerle) provides security and risk management leaders with must-follow mobile best practices to avoid data leakage from mobile devices and attacks to infrastructure. Zimperium – the global leader in mobile device and app security and provider of the Mobile Application Protection Suite (MAPS) – is recognized in this report.
According to the report, “Security and risk management (SRM) leaders must protect mobile applications to enable the organization to advance toward its digital transformation (*see Figure 1). This research highlights the main pitfalls and suggests approaches to avoid security failures when developing and using mobile apps.”
According to Gartner, “key challenges facing security and risk management leaders include:
- Mobile application security failures lead enterprises to sensitive data loss, exposure of infrastructure, fraud and noncompliance.
- The architectural decisions made very early on in the process will determine many of the limitations in the security functionality available to security leaders.
- Mobile applications are subject to new types of attacks and require developers to revisit, learn and reprioritize security best practices.
- When seeking advanced mobile application security functionality for particularly sensitive apps, the landscape is fragmented, maturing and technically challenging to grasp.”
Gartner, in this report, state leaders in charge of application security should:
- “Provide early input on the performance-security trade-offs when a mobile architecture (native, hybrid or mobile web) is selected by being involved from the beginning of the process.
- Implement application security best practices with a focus on the specificities of mobile and its associated back end and possible API. In particular, eliminate hardcoded credentials, minimize app permissions, encrypt sensitive data and use certificate pinning where possible.
- Perform mobile application security testing and standardize the mobile security components used by employing ISVs, multi experience development platforms and UEM capabilities in the process.
- Go beyond obvious controls, such as encryption at rest, for high-security apps by hardening and obfuscating code, preparing against tampering, and reverse-engineering attempts.”
MAPS identifies security, privacy and compliance risks during app development and protects/monitors apps from attacks while in use, ending the piecemeal approach and connecting data in a single platform.
MAPS is comprised of three solutions, each of which address a specific enterprise mobile app security need:
- zScan helps organizations discover and fix compliance, privacy, and security issues within mobile apps before they are released as part of the development process;
- zShield hardens the app through obfuscation and anti-tampering functionality, protects the app from potential attacks like reverse engineering and code tampering; and
- zDefend SDK (formerly zIAP) is embedded in apps to help detect and defend against device, network, phishing and malicious app attacks while the app is in use.
Whether it is identifying security and privacy risks during the app development, or monitoring and protecting apps from attacks while in use, we are making sure mobile apps aren’t used by hackers as a data breach gateway.
zScan provides an ongoing and automated ability to discover privacy, security, and compliance issues in mobile apps before the apps are released into the wild. zScan is designed to fit directly into the development process without requiring developers to go outside their normal operations, implement any new code, or have to log into another console.
Once findings are discovered, zScan can open tickets in ticketing systems to provide developers with detailed information and work packages necessary to address the risk. Once developers fix and mark findings closed (as they would any bug or feature request), the information is synced back to zScan so security and compliance teams can verify the fix.
Once a mobile app is released publicly, potential attackers can inspect it for any coding errors and vulnerabilities that can be exploited. Zimperium zShield’s obfuscation and anti-tampering functionality hardens and protects the app from attacks such as reverse engineering, piracy, removing ads, extracting assets, extracting API keys and inserting malware among others.
With the zDefend SDK embedded, mobile apps can immediately determine if a user’s device is compromised, any network attacks are occurring or if malicious apps are installed. zDefend is completely configurable by app developers, who can take action when a given threat is detected.
The development of a mobile app should be focused on creating exceptional user experiences and engagement, not financial and reputation concerns over data breaches and privacy and security issues. MAPS provides peace of mind to CISOs, CIOs and security operational teams for the life of their mobile app so developers can focus on building features/functions for the business while applications are scanned, shielded and able to defend themselves once released into production.
If you’d like to read Avoid Mobile Application Security Pitfalls, please click here.
If you would like to learn more about securing your mobile apps from development to running on end user devices, please contact us. We are here to help.
*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request.
MAPS Helps Enterprises Avoid Mobile Application Security Pitfalls