Data breaches: app security under threat

Ben Zilberman, product marketing manager at Radware looks at the implications of data security for app developers

2 August 2018

In July news broke that a person’s data on a well-known mobile payment service app could be seen publicly.

In case you missed it, a researcher analysed over 200 million publicly available transactions made using the money-sharing app. Her aim was to draw attention to the amount of information that can be gathered using peer-to-peer apps. She was able to access the data through a public application programming interface, even those who had set their setting to private, and build a picture of their lives with surprising accuracy. From burgers to cannabis oil, if you bought it she knew about it.

Her bid to out the ways peer-to-peer apps worked was used to highlight that some people place more trust than they should in the default settings of all types of apps.

Of course, the phenomenon of social media, fintech apps and all manner of other applications from Spotify to Google Maps hasn’t been possible without our growing reliance on data. 

But though business models may rely on data to grow, they also rely on customers. Without one you can’t have the other.

Trust is now a huge factor in whether someone joins, stays or leaves your brand. And shareholders will ask if the company will still exist in a year if its reputation is tarnished. In fact, Radware’s 2018 C-Suite Perspectives study found that 41% of executives reported customers taking legal action against their company following a breach.

But if we look at the bigger picture where we move to a world where lots of internet of things apps are more commonplace in our day to day lives, we of course open up the possibility of more data breaches. All sorts of apps rely on interaction with trusted sources, and sadly this can become hunting ground for malicious activities. Hackers could use my smart-home management app to track my location, or access my mobile shopping accounts and bank details.

Our research shows that around half of all companies don’t analyse vulnerabilities in the apps prior to launch, that’s despite the fact that 60% of apps are constantly sending sensitive data to and from the network.

It’s food for thought, especially at a time when banks are waking up to the fact that they need to compete with start-ups like Monza and Revolut if they are to keep customers loyal. RBS buying Freeagent is an example of how the market is changing in the business to business world – it’s quicker to buy than make.

But really it doesn’t matter if you make or buy. You have to be secure. Fines and public opinion will get you if you’re not. So what’s the answer?

I see it as a supply chain. We have to make sure that at every hand over there is a secure link. The suppliers who make apps on behalf of brands, the developers who are working to improve how we live, the IoT applications that will sit quietly in the background, all need to be secured from vulnerabilities.

But they must also be updated frequently as new threats come along. There must be a mentality of finding and securing apps old and new every day. It’s clear it can’t be left to the consumer, and if things go wrong they will come looking for compensation regardless. It calls for hyper-vigilance in that every manufacturer of an end point has to take precaution and ensure any handovers are secure so that no one is a weak link. We all have a responsibility to make security a norm of application development not an add on.

What’s more we have to consider the impact to the network each time we add something to it. And frankly it doesn’t matter if the data going across it is sensitive or not. It’s the principle: if it’s not secured then it’s penetrable, and once a hacker, or a bot, as is more likely, is in, then they are closer to getting hold of anything you own - or make irreparable changes to it.

As we move to organising our networks around the cloud this conundrum becomes more complex. It’s not impossible though. Blending artificial intelligence, and human skill makes for a viable strategy. The AI takes care of the things no human brain can possibly process – scanning for threats and making the first move to defend as necessary. The human skill can then use insight from the AI activity to plan security and ensure it is fit for purpose as the security landscape changes.

But above all it takes a united effort, an agreement that as a community of developers, brand custodians and security experts we will implement ethical and trustworthy approaches that ensure every person’s data is protected at all times. No ifs no buts.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development