Snippet: The world has embraced mobile in a big way. Mobile applications are suddenly an indispensable feature of daily life, serving as sources of information, productivity tools or entertaining ways to pass the time.

Mobile is where it starts these days 

The world has embraced mobile in a big way. Mobile applications are suddenly an indispensable feature of daily life, serving as sources of information, productivity tools or entertaining ways to pass the time. There are now more than 1.3 million Android apps on the market and almost exactly as many available to users of Apple’s mobile devices. In June 2014 alone, 75 billion apps were downloaded from the Apple App Store!

Most large enterprises aim to help their customers, employees and other agents interact or transact with a range of mobile apps spanning the various platforms. I’m reasonably sure that your enterprise has either already deployed these or is busy building them. The apps probably provide some form of login, beyond which users can view and manage personal information. You plan to keep expanding the transactional functionality: if you don’t already allow people to perform sensitive transactions, you are likely to have it on your roadmap. 

All this data must be secured. How much of your development team’s time is spent thinking about security? What kind of budget are you providing them in this regard? With big names in retail and financial services falling prey to cybercrime every week, the last thing you want is to join their ranks with a badly designed mobile app. 

Building secure apps is hard. Really hard.

Here’s the challenge: Every mobile platform has its own quirks that developers must accommodate, and each device has a unique set of challenges they must overcome. Mobile is a complex new ecosystem, and developers are very often not up to the task of securing mobile data, connections and transactions. Even if developers possess the necessary knowledge, they often lack the resources or the time to properly protect users of their apps and the systems with which they interact. (For example, four out of five IT security professionals surveyed in Trustwave’s global 2014 Security Pressures Report reported feeling pressure to roll out projects despite their own unaddressed security concerns.) 

Organizations would prefer to believe their developers have secured all potential weak spots when rolling out their great-looking new app, but that’s usually not true. Not by a long shot. FireEye recently analyzed the top one thousand apps on Google Play. It found that 68% had an SSL vulnerability that could leave them open to interception and man-in-the-middle attacks. iOS is better but not perfect by any means. Our CTO, Christiaan Brand, blogged about SSL vulnerabilities on iOS in February. Since then, more bugs have been discovered. 

Trustwave, which continually monitors the threat landscape, paints a similar picture – literally so, with its Applications Under Duress infographic. In May, TrustWave found that 96% of mobile apps contain vulnerabilities, with an average of 14 such chinks in the armor per app! 

If you thought that banking apps at least fared better, I have some more bad news for you. Earlier this year, cybersecurity firm IOActive scrutinized 40 mobile banking apps from the 60 most influential banks in the world. Here’s some of what it discovered: 

  • 90% used non-SSL links
  • 50% were vulnerable to JavaScript injections
  • 40% were susceptible to basic man-in-the-middle attacks
  • 70% did not provide “alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks”

Anyone who knows and cares about digital security is aware of how vulnerable most apps are, and how easy these vulnerabilities are to exploit – and this includes the hackers and crime syndicates out there. For them, the present situation is something like a gold rush, one that they are doing everything to exploit with thousands of new mobile banking trojans and hundreds of thousands of other malicious programs.

Help is at hand

Entersekt’s goal is to make the online world a safer place to bank and shop. And, yes, that includes assisting developers around the world secure their mobile apps.

Entersekt’s solutions for mobile app authentication and mobile banking authentication put at your disposal the powerful Transakt SDK. Transakt uses X.509 digital certificates to uniquely identify every one of your customers’ mobile devices and to pair it to the relevant user profile. Once you’ve identified the device, our patented technology creates a secure tunnel between it and your business’ services. On top of that, Transakt provides out-of-band, multi-factor authentication on the mobile, as well as the ability to digitally sign any transactions performed on it. It’s available across all smartphone platforms right now.

The Entersekt team works extremely hard behind the scenes to ensure that our product is always several steps ahead of any new techniques the fraudsters devise. This means that your developers can focus on building an app that hits a home run in terms of features and usability without also having to worry too much about securing it. Perhaps even better, you will avoid getting your company’s name in the press for the wrong reasons.

Subscribe to our blog.


Gerhard Oosthuizen

CTO

Gerhard provides the organizational and operations heft to turn vision into reality. His role at Entersekt represents the CTO function in its purest and most exciting form. Our purpose is, after all, to design and build high-performance, market-leading software and support systems for an international customer base with extremely high expectations.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.