Why awareness is the greatest challenge in mobile app security


16 Aug 2024

Tom Lysemose Hansen. Image: Promon

Promon’s Tom Lysemose Hansen discusses the security challenges of tech such as quantum, edge computing and more, as well as the importance of collaboration in mobile app security.

Tom Lysemose Hansen is the founder and chief technology officer at Norwegian cybersecurity company Promon.

Founded by Hansen in 2006, Oslo-headquartered Promon specialises in mobile app security, and has offices in the US, Germany, the UK, Asia Pacific, the Middle East and India.

Click here to listen to Future Human: The Series.

According to Hansen – who recently spoke to us about the Crowdstrike outage – a lot of his work involves talking to customers and understanding the challenges they face, as well as working with the company’s development and product teams to drive the product strategy.

Here he discusses some major trends in mobile app security and his thoughts on the current threat landscape.

What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?

There’s a whole slew of threats facing the app security space, both internal and external. First, and perhaps unsurprisingly, security experts face a constant barrage of emerging malware threats as bad actors continue to experiment with new approaches and attack vectors. In the past year alone, Promon has uncovered two unique and innovative malware strains, FjordPhantom and Snowblind, both of which demonstrate how cybercriminals are constantly evolving their strategies.

Compounding this issue, another huge obstacle facing developers is a lack of resilience in mobile apps. In February, a Promon investigation uncovered that 93pc of the world’s most downloaded iOS apps cannot even defend against repackaging attacks – a threat which involves an adversary copying an app, modifying it and maliciously repackaging it to successfully run on a device.

What are your thoughts on digital transformation in a broad sense within your industry? How are you addressing it in your company?

I see digital transformation as a pivotal force reshaping our industry, with profound implications for how we approach security. The widespread adoption of a mobile-first strategy is a testament to the growing importance of mobile applications as the primary interface between businesses and their customers. This shift is not just about convenience; it’s about meeting users where they are, which is increasingly on their mobile devices. However, this also introduces new security challenges that must be addressed proactively.

One significant aspect of digital transformation is the rise of AI and machine learning. These technologies are double-edged swords; they can be leveraged to enhance security, enabling more sophisticated threat detection and response, but they also empower adversaries to launch more advanced and automated attacks. We’ve conducted research, for example, into deobfuscation of code using AI.

Moreover, the broadening landscape of attack vectors is a direct consequence of the expanding digital ecosystem. With more devices, applications and services interconnected than ever before, the potential entry points for attackers have increased exponentially. To address this, we feel strongly that you have to look beyond your own application code. You have to look at the entire application environment, and how attackers approach applications both at rest (when they are not in use) and at runtime.

Ultimately, mobile apps are not static. You need to adapt a proactive security posture to ensure your mobile strategy is able to meet the evolving needs of your customers.

What big tech trends do you believe are changing the world and your industry specifically? Which of these trends are you most excited about and why?

Emerging technologies such as quantum computing and edge computing are accelerating rapidly which, while a threat, represent an opportunity for us as cybersecurity professionals to innovate.

Quantum computers threaten standard encryption models like RSA and ECC which protect sensitive data including financial transactions and personal information. To combat this, the development and implementation of cryptographic algorithms that are quantum resistant as well as other quantum-resistant measures are indispensable to maintain a secure cyber environment.

Another growing technology that presents a new challenge for us is the growing use of edge computing within IoT devices such as smart home gadgets. These devices typically send their data to a large cloud server somewhere far away to be processed; but with edge computing, there’s a local server right in your home (or nearby) that can handle most of this data processing. While increasing reliability and saving on costs, the decentralised nature of edge computing demands consistent security measures across various nodes, including securing edge devices and communication channels. It is critical that security protocols at every node of the edge computing infrastructure are established, including regular updates, patch management and secure authentication methods to protect against distributed security threats.

Finally, there is the ever-present buzzword that is AI. While enhancing our own security features and services, AI can also be harnessed to create complex attacks, lowers the barrier to entry for cybercriminals, and can be used to write malicious code which we must learn to mitigate against. AI can create increasingly human-like responses to requests which can lead to widespread misinformation and disinformation that can deceive users into sharing sensitive and personal information.

What are your thoughts on how we can address the security challenges currently facing your industry?

The greatest challenge is one of awareness. Yes, most companies that distribute apps will rely on security specialists to bolster their defences; but cybersecurity is not often factored in during the early stages of development. We see so many apps that have no security at all. Remember, once the app leaves your premises, it’s fair game for attackers to download, analyse and find vulnerabilities. That’s one reason we focus on adding security post-compile. It means developers don’t have to be security experts. But the awareness still needs to be there.

Furthermore, the mobile app industry faces distinct challenges that set it apart from general app security. One major issue is platform diversity; mobile apps need to function seamlessly across various operating systems, primarily Android and iOS, each with its own security models. Additionally, device fragmentation complicates the deployment of security updates, leaving many devices vulnerable. User behaviour also plays a critical role, as individuals often download apps from untrusted sources or connect to unsecured networks, which can introduce significant risks.

Collaboration is also vital for improving mobile app security across the board. By working with other industry players, security researchers and regulatory bodies, we can develop comprehensive security standards and share threat intelligence. Compliance with regulations like GDPR and PCI DSS not only protects users but also enhances the credibility of mobile applications. Ultimately, a proactive and collaborative approach will help us stay ahead of evolving threats and safeguard user data effectively.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.