By Jan Sysmans, Mobile App Security Evangelist at Appdome

Across the Philippines, more people are embracing mobile phones and apps as their personal digital companions. A DataReportal report finds that the number of active cellular mobile connections shot up to 168.3 million in the early part of this year. This number has exceeded the country’s total population, which stands at 116.5 million.

For DevOps teams, speed alone isn’t going to cut it when it comes to delivering a user-first mobile experience. App makers also need mobile security to protect users from all manner of attacks, ranging from mobile fraud to on-device malware to man-in-the-middle (MitM) attacks. Our own survey even find that it as one of the most sought-after features by Filipino mobile users, with 52.8 percent wanting the best security for the apps they use. Those that are capable of robust protection were also found to garner more confidence and trust, with over 95 percent of respondents saying they would be more likely to promote apps with these built-in features.

However, due to the clash of priorities between developers and security teams, apps can often lack the required safeguards to stand up to the ever-changing threat landscape. The good news is that this issue is not impossible to rectify and, in fact, security can be integrated without making changes to the entire DevOps process.

Why mobile security often takes a backseat

At the heart of this mismatch stands the fact that, while app building is automated – thanks to build systems like Azure DevOps, GitHub and Jenkins – integrating security features is largely done through manual coding. Even with the assistance of software development kits (SDKs), the process is still delicate, time-consuming, and not guaranteed to provide the intended outcome.

This, coupled with mobile security solutions’ inability to be integrated with the entire DevOps cycle, pushes the building and testing of protection features down the priority scale. As a result, apps are released to the public with a plethora of vulnerabilities that cybercriminals can easily exploit.

Integrating mobile security into the build system

Protecting mobile apps requires DevOps teams to adopt a shift-left model in which security features like anti-fraud, anti-tampering, and anti-malware algorithms are built early in the development cycle. To achieve this, service providers require an automated mobile security solution that acts just like a build system. Preferably, it should be able to create services without the need for coding and have application programming interfaces (APIs) that can be seamlessly integrated with popular CI/CD tools, including GitLab, Bitrise, and Circle CI.

The solution should also work with Ops tools like FastLane to facilitate the publication of approved release versions to the public within the release schedule. This way, developers will be able to deliver both security and timeliness, giving users more confidence to utilize the apps for their own benefit.

Giving Security Teams a Seat at the DevOps Table

With threats evolving rapidly to inflict the most damage, the need to give security the same visibility, management, and control as developers is greater than ever. What this means is that security teams need to have a place in the mobile app development process in order to build and upgrade protection features for every new release version. Besides that, security teams also need to be able to:

• Audit, review, and record the effectiveness of protection measures across Android and iOS apps.
• Control what security solutions they want to integrate, including runtime application self-protection (RASP), anti-fraud, anti-malware, anti-overlay, keylogging prevention, jailbreak and root detection, and code obfuscation.
• Work with other developer tools, such as CI/CD pipelines, testing suites, and crash reporting, among others.
• Ensure comprehensive protection against breaches and tampering with security protocols that are compliant with local and global regulations.

With security release management, teams will be able to create and test features at breakneck speed without the added complexity that comes from traditionally enabling protection in the later stages. Simultaneously, developers can also scan and identify vulnerabilities early on, giving them the necessary breathing room to patch systems before release.

When choosing the right security release management solution, it is important to consider those that empower developers with greater control over their security releases. This can be made possible through features like mobile protection templates, version controls, team workspaces, automated app signing, and security model freezing and verification. To guarantee the best protection for mobile users, service providers should also review their security certifications to ensure they meet the highest compliance standards of industry-leading governing bodies and agencies.

Cybercriminals show no signs of slowing down their attacks against mobile apps. Neither should app makers when it comes to reinforcing service resilience. By integrating security early on in the development process, app makers will be able to reduce their attack surface, improve their service experience, and maximize user retention.