How Secure is Mobile App Development?Security Taking Backseat as Businesses Rush to Capture Market
Even as India adopts mobility at a very rapid pace, there are basic concerns that have not been addressed. While people are busy building developing and selling mobile applications, the fact that these applications are dealing with sensitive customer data seems to have taken a back seat. Lack of customer awareness and privacy legislation means that organizations pay scant attention to privacy principles and security requirements, as demonstrated in a recent case of customer data exposure by Meru Cabs (see: Meru Cabs: Customer Data Exposed).
"To meet this ever increasing demand for app platforms, numerous companies have mushroomed that provide ready-made app frameworks and e-commerce business platforms; these are generic, modular, and come with all kinds of integrations built in," says Dhananjay Rokde, prominent security thought leader and ex-CISO. "With a bit of customization, companies can roll out apps in as less as 48 hours today."
The obvious downside is extremely poor security -- both in the app and in the development process. Moreover, these frameworks are generic business platforms that are being proliferated to anyone with a mobile e-commerce requirement, which means that the inherent flaws and baked-in vulnerabilities are being hawked across the industry, he says (see: Meru Cabs: Mobile Security Lessons).
Even in enterprises having an internal development team, convenience, new features and time-to-market always takes precedence over security. These teams are working against tight, competitive deadlines, rushing to build in new features at every opportunity, with security successively relegated to the last priority until it becomes the elephant in the room. By then it could possibly be too late or too difficult to bolt security on, he says.
"Capturing the user-base and profits always come first, with little or no AppSec practices being adhered to," Rokde says. "Besides, just AppSec testing on the app is never enough. The entire app ecosystem, logic, third-party touch points, all need to be tested and audited to really guarantee security to the consumer."
Organizations operating mobile ecommerce platforms need to start taking more responsibility, and consumers need to stop turning a blind eye before it's too late, asserts Rokde in this exclusive interview with Information Security Media Group. Rokde dives deep into the security aspects of the current mobile app ecosystem as it exists in India, in addition to sharing insight on:
- Why AppSec alone will never take care of end-to-end security;
- Some outcomes of the lack of consumer awareness and privacy legislation;
- Recommendations for organizations looking to improve mobile app security.
Rokde, the former CISO of the Cox & Kings Group, is an information security professional with several years of experience in operations, remote support, consultancy and business management. He has extensive experience managing global security programs and has worked on enterprise information security projects for large FMCG, BSFI, NBFC, LPO, KPO and BPOs globally. He is a frequent speaker at industry events.