The State of Mobile App Security: Key Takeaways from 2022 Threat Report - Zimperium

Over the last few years, a major shift has occurred in how we use mobile devices and apps. Fundamentally, we continue to use our smartphones more and more. In the process, mobile apps continue to collect more sensitive personal and corporate data, while at the same time, mobile apps continue to get more vulnerable.

We’ve recently published our 2022 Global Mobile Threat Report, which offers extensive insights into the challenges today’s application security teams are confronting.

In this blog post, we’ll highlight some of the key takeaways from the report, specifically focusing on mobile application security. We will take a look at how usage and vulnerabilities are evolving and outline some of the key implications for enterprise security teams.

Mobile Apps: Massive Growth in Usage and Exposure

Today, the scope of the mobile app market is massive. In 2020, there were more than 218 billion app downloads.¹ By 2023, mobile apps are expected to generate annual revenue in excess of $935 billion, and apps in such areas as video streaming, gaming, and online fitness are all netting billions of dollars in revenue.²

Further, our usage of mobile phones for payments accounts for even larger revenues. In 2020, the mobile payments segment accounted for $1.3 trillion globally, and revenues were expected to climb to $1.7 trillion in 2021.³ Over the past several years, Android and iOS phones have begun to be used as point-of-sale (PoS) terminals, creating a major spike in contactless payment adoption and usage.

Mobile applications have come to impact just about every aspect of our lives, from how we think about managing our health and wellness to how we consume digital and physical goods.

Plus, it isn’t just the frequency but the way we’re using mobile apps that is changing. It wasn’t too long ago that our smartphones were for personal use, and our corporate laptops were for work. Today, it is safe to say those boundaries have blurred into oblivion. Within enterprises, continued innovations in mobile applications play an integral role in digital transformation and most any other strategic initiative or service.

For enterprise security teams, these shifts have fundamental, massive implications—implications for which many teams aren’t prepared to contend.

Evolving Development Approaches: The Benefits and Risks

In their quest to accelerate innovation in the mobile application arena, teams continue to evolve their development approaches. Following are a few examples:

• Low-code and no-code approaches. To speed development and reduce the reliance on limited development expertise, teams continue to shift to no-code and low-code approaches. In the process, development is increasingly moving from writing code to assembling and integrating open-source and third-party components.
• Hybrid apps. Teams are employing hybrid app approaches, which enables them to manage a single code base that can run on both Android and iOS.
• Progressive web applications. Through these approaches, teams can evolve their web apps so they look and function like native mobile apps, while also affording teams the ability to work with a single code base.

However, while these approaches offer powerful benefits in efficiency and agility, they also present significant hurdles for the teams looking to secure data and code. For example, many hybrid apps lack critical software development kits (SDKs) and other tools required for securing code effectively. Also, without the proper mechanisms in place, the ease of leveraging external, open-source components can just as easily introduce a number of exploitable vulnerabilities.

The upshot is that the focus on speeding time to market has resulted in an exponentially larger attack surface and significant supply chain risk. Apps contain more third-party code, process more sensitive data, and access more critical enterprise infrastructure than ever before. For all these reasons, resource-constrained app security teams struggle to keep pace and scale.

The Risks Posed by Emerging Technologies

While security teams have their hands full, several factors are serving to increase the pressure:

• 5G. In recent years, mobile device usage has grown dramatically, and therefore the volume of sensitive data being collected and shared continues to see explosive growth as well. The increasing rollout of 5G communications networks will only accelerate and magnify this proliferation. These networks are capable of delivering higher data transfer speeds with lower latency. By the end of 2024, it is predicted that 5G will handle 25% of all mobile data traffic.⁴ The result? Even more sensitive data being collected, transmitted, and stored gives cybercriminals even more data to target.
• Misconfigured cloud services. In an investigation into 23 mobile apps, researchers found that data of more than 100 million users was exposed.⁵ How? Developers failed to configure their third-party cloud services properly. Based on our analysis of more than 1.3 million Android and iOS apps, we found that 131,000 used public cloud services in their backend, and 14% of those apps had misconfigurations that exposed users’ personal information.⁶
• QR codes. Initially unveiled in the 1990s, QR Codes aren’t new—however, their usage grew dramatically in recent years, particularly as consumers and businesses adapted to the pandemic. Given this growth in usage, cybercriminals have taken note. In order to steal a victim’s financial information or other sensitive data, these threat actors are tampering with or deploying their own QR codes and compromising devices through the use of malicious applications.

Conclusion

The insights above give you a glimpse of the extensive findings offered in the 2022 Global Mobile Threat Report. Read our threat report to understand the evolving mobile app security landscape and gain key insights into how you can begin to ensure your security capabilities and policies are aligned with these new realities.

This year’s report features an expert analysis of mobile threat data from the field, including prominent attack vectors, regional trends, evolving vulnerabilities, phishing developments, and malware advancements. To learn more about mobile security threats and how to guard against them, download the 2022 Global Mobile Threat Report.

1. TechJury, “55+ Jaw Dropping App Usage Statistics in 2022,” 2022, https://techjury.net/blog/app-usage-statistics/#gref
2.  Statista, “Mobile app revenue worldwide 2017–2025, by segment,” 2021, https://www.statista.com/forecasts/1262892/mobile-app-revenue-worldwide-by-segment
3.  Curry, D., Business of Apps, “Mobile Payments App Revenue and Usage Statistics (2022),” January 11, 2022, https://www.businessofapps.com/data/mobile-payments-app-market/
4.  Ericsson, “5G estimated to reach 1.5 billion subscriptions in 2024 – Ericsson Mobility Report, 2018,. Telefonaktiebolaget LM Ericsson. https://www.ericsson.com/en/press-releases/2018/11/5g-estimated-to-reach-1.5-billion-subscriptionsin-2024–ericsson-mobility-report
5.  Sharma, M., TechRadar, “Android apps put data of 100 million Google Play Store users at risk,” May 20, 2021, https://www.techradar.com/uk/news/android-apps-put-data-of-100-million-google-play-store-users-at-risk
6.  Newman, L. H., Wired, “Thousands of Android and iOS Apps Leak Data From the Cloud,” March 4, 2021, https://www.wired.com/story/ios-android-leaky-apps-cloud/