Skip to main content

Discover the Mobile Application Landscape

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the mobile application landscape.
  • Identify the prevalence of mobile application security.
  • Define mobile application security terminology.
  • Differentiate web and mobile application security.
  • Describe the mobile application attack surface.

Before You Start

If you completed the Application Security Basics and Application Security Engineer Responsibilities modules, then you already know about application security and how an application security engineer protects applications. Now let’s talk about how to improve a mobile application’s cybersecurity.

The Mobile Application Landscape

Our smartphones can do extraordinary things—shoot 4 kilo (4K) video, translate foreign languages, take dictation, monitor heart rates, and more. With rapid technological advancements, integration of technologies like artificial intelligence (AI), blockchain, and fifth generation cellular networks (5G) have revolutionized the way we think of mobile applications (apps).

Staying up to date with rapidly altering trends and having sound technical knowledge is key for mobile app developers to create innovative apps for virtually every device. It’s also more critical than ever for those looking to develop apps to be cyber aware.

As the prevalence of mobile devices and apps continues to rise, more companies are shifting to a mobile-first design strategy. Mobile-first is a philosophy that aims to create better experiences for users by starting the design process from the smallest of screens: mobile. Most customers’ initial interactions with a company take place on their smartphones and tablets, which have their own security complexities and require a comprehensive mobile appsec strategy. Designing and prototyping your websites for mobile devices first helps you ensure the user experience is seamless on any device.

The Prevalence of Mobile Appsec

Today, every major business has a mobile app to connect more easily with their customers, and more users than ever rely on mobile apps for a majority of their digital tasks, from watching the news and checking emails and social media to making online purchases and performing bank transactions.

These mobile apps have access to large amounts of sensitive data which must be protected from unauthorized access. Through these apps, businesses can gather usable information, such as location, usage statistics, phone numbers, likes, dislikes, and other relevant metrics about users. If the data in these mobile apps falls into the wrong hands, it can be harmful to the user.

The goal of security professionals is to mitigate mobile appsec risk at their organizations. Mobile appsec is the practice of safeguarding high-value mobile apps and digital identities from attacks. This includes device tampering, reverse engineering, malware, keyloggers, and other forms of manipulation or interference. Like it or not, as a developer or security professional, you need to take into account the many threats that target mobile apps.

Define Mobile Appsec Terminology

Before we go further, let’s familiarize ourselves with some common mobile appsec terms.

Term

Definition

API

A software intermediary that allows two apps to talk to each other

Authentication

The act of identifying an individual

Authorization

The act of checking that the identified individual has the permissions necessary to perform an act

Buffer

An area of memory set aside to hold data, often while moving it from one section of a program to another or between programs

Buffer Overflow

An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations

Development Platform

A set of standards that enable developers to develop software apps based on the right tech stack

Dynamic Testing

A software testing method performed to analyze the runtime behavior of the code

Static Testing

A software testing method that evaluates the source code of an app to detect defects in software without actually executing the code of the software app

User Experience (UX) Design

A design approach that focuses on making the app simpler, cohesive, and easy for the user to navigate through

Web vs. Mobile Appsec

A web app is an app that runs on a website and is accessed by a user via an internet browser. Web apps function like downloadable apps, but execute in the context of your phone’s browser. Web apps adapt to whichever device you’re viewing them on. They are not native to a particular system and don’t need to be downloaded or installed.

Mobile appsec focuses on the software security posture of mobile apps on platforms like Android and iOS. This covers apps that run both on mobile phones and on tablets. It involves assessing apps for security issues in the contexts of the platforms they are designed to run on, the frameworks they are developed with, and the expected set of users (for example, employees versus end users). Mobile apps can collect much more information about the user—such as location, biometric, and video and audio data—than web browsers.

Let’s take a closer look at some differences between web apps and mobile apps.

Code

Web apps have the option of hosting sensitive code on the server where an attacker cannot access it. On the other hand, mobile apps contain substantial code (including logic and data) on the client device. Mobile apps are essentially publically available code and have a greater attack surface than web apps, since the apps can be downloaded from public stores and the code can be inspected.

Network

With web apps, the browser handles transport layer security (TLS) and hypertext transfer protocol secure (HTTPS) to secure communication over a computer network. With mobile apps, the app must securely code the network call. Mobile appsec engineers need to secure sensitive data while traversing the mobile device carrier’s network and the internet by verifying that safe communication methods such as TLS and HTTPS are used.

Memory

With web apps, the browser isolates data from local machine memory and files. With mobile apps, the app must properly handle local files and memory. This means that mobile appsec engineers need to protect against anomalies such as buffer overflows, where a program, while writing data to an area of memory, overruns the boundary and overwrites adjacent memory locations.

Segmentation

Browser sandboxes isolate web app data and logic from one another. Mobile apps, on the other hand, are capable of sharing data between one another by writing to shared or open storage locations. Back-end APIs that are used to connect mobile apps to servers to transfer data can expose sensitive medical, financial, and personal data if not properly secured.

The Mobile App Attack Surface

The attack surface describes all the different points where an attacker could get into an app and exfiltrate data. The attack surface of a mobile app includes:

  • Data in transit: The sum of all paths for data and commands into and out of the app
  • The code that protects these paths: The resource connection and authentication, authorization, activity logging, data validation, and encoding
  • Data at rest: All valuable data used and stored in the app, including secrets and keys, intellectual property, critical business data, and personally identifiable information (PII)
  • The code that protects this data: Encryption and checksums, access auditing, and data integrity and operational security controls
  • Back-end APIs: The interfaces used to connect services and transfer data

A mobile phone with the five aspects of the attack surface surrounding it

As a security professional, it’s your job to thoroughly evaluate the entire mobile app attack surface. For attackers, mobile apps have always been an interesting attack surface. And although major mobile platforms provide their own set of security controls designed to help developers build secure apps, it’s often left to the developer to choose from a variety of security options. If developers do not properly vet security features, they may implement them in such a way that attackers can easily circumvent. 

Sum It Up

Now you understand the mobile landscape, the prevalence of mobile appsec, and mobile appsec terminology. In the next unit, you learn more about the responsibilities of a mobile appsec engineer and discover the skills that help them succeed. 

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now