Are you convinced that your life has become easier than before due to the increased usage of mobile apps? Well, you must accept that statement with a pinch of salt, for the growing use of such apps has been followed by higher incidences of data theft/breach as well. Surprised? Then hear what the experts have to say, for according to Gartner, around 75% of security breaches especially at the endpoints are due to the misconfiguration of mobile apps (Ref: https://www.gartner.com/newsroom/id/2753017.) Also, according to a report of BI Intelligence, the total revenue loss due to mobile fraud in 2016 was up to the tune of $350 million (Ref: http://bit.ly/2ct4luH).
Why mobile app frauds take place?
In recent years, the easy availability of low cost yet powerful smartphones has meant a greater number of people have access to them. This, for the customers, has created a greater appetite for apps that are aesthetically pleasing, seamless to navigate and have advanced features. As a result, business enterprises are under tremendous pressure to reach out to these customers on the go with new mobile apps by using technologies such as the Cloud, Internet of Things (IoT), Analytics or at a nascent level even Artificial Intelligence or AI.
This rush to come out with new mobile apps at the drop of a hat and to be a step ahead of the competition means stringent security checks are often overlooked. This is done in favor of considerations such as faster time to market and a higher ROI. Since, many of these apps hold sensitive customer information such as credit card details, the lowering of built-in security checks has given rise to higher incidences of security breaches. This has made the mobile application development companies incorporate stringent measures to outsmart the hackers and gain the trust of customers.
Methods used by cybercriminals to steal sensitive data
Social Engineering: Attacking mobile apps by exploiting their technical flaws through malware, viruses, worms, and trojans is a less trodden path by cybercriminals compared to the stealing of information by manipulating the psychological aspect of users through social engineering. In this, users are tricked into revealing their sensitive personal information through techniques such as Phishing, Wateringhole, etc.
Spyware: This technique is used more at the enterprise level where tricksters infect business apps used by employees with malicious spyware to steal sensitive business and personal information. Some of the examples are CoolWebSearch, Gator, 180searchAssistant etc.
Mobile Botnet: If your mobile is not protected by an antivirus, it can be infected with a mobile bot or malware targetting your smartphone. The compromised smartphone will then be connected to the servers controlled by the botmaster or a cybercriminal(s) siphoning off personal information and even money. For example, a mobile botnet called HummingBad (now back as HummingWhale) had infected over 10 million Android smartphones in 2016 resulting in a profit of over $300,000 a month for its makers (Ref: http://bit.ly/2nTSBo3).
Consequences of a security breach
Hacking into mobile applications is carried out with an alarming regularity but enterprises are able to discover it quite late when the damage has already been done. There can be serious consequences of compromising with mobile app security as listed below.
Loss of revenue: At an individual level, a compromised mobile app (banking, e-commerce, utilities etc) can result in money being siphoned off from bank accounts or digital wallets. However, at the business level, the loss of revenue can happen when
- Sensitive business information gets stolen through spyware or mobile botnets.
- Customers discard the mobile app and opt for the rival one after coming to know the mobile app is not secured.
Brand value hit: If customers are in the know of a mobile app being compromised in terms of security, then the brand value of the enterprise or the mobile app development company behind the app takes a hit.
Face lawsuits: Customers or business entities can file lawsuits against the mobile app development agency or the company running the app for compensation.