Mobile app developers need to protect SDKs

Chris Roeckl, Chief of Product, Appdome, shares trends for the mobile app economy:

What's mobile app usage like today?

Mobile apps are fully entrenched in the daily lives of consumers. In fact, in the 4th edition of Appdome’s Global Consumer Survey on Mobile App Security, the preference for mobile apps is at the highest level ever. Fifty-five percent (55.3%) of global consumers say they use mobile applications more than web, dwarfing preference for online/web at 22.5%. 

Furthermore, 63.4% of consumers globally — again the highest level ever — say that they use more than six mobile apps weekly. It’s clear that mobile apps have become more interconnected due to the increasing reliance on various transaction systems, APIs, and third-party services that facilitate seamless user experiences. 

Consumers now expect their apps to provide a cohesive and integrated experience, whether it's for payments, social media, or other daily tasks. This interconnectedness is driven by the need to share data across multiple platforms and services to enhance functionality and personalisation. 

For instance, an e-commerce app might integrate payment gateways, social media logins, and location- based services to streamline the user experience. However, this growing interconnection also introduces new security challenges, as each integrated service becomes a potential entry point for cyberthreats. Ensuring the security and integrity of these interconnected systems is crucial to maintaining user trust and safeguarding sensitive data. 

Why are software development kits (SDKs) both key and a risk to app development?

SDKs are essential tools that developers use to add functionality to their mobile apps without building these capabilities from scratch. SDKs can provide various features, such as analytics, advertising, payment processing, and more. 

By integrating SDKs, developers can significantly reduce development time and focus on core app features, leveraging the expertise encapsulated in these kits. As a result, mobile developers are steadily increasing their use of SDK in their app development cycles. Research found that in 2023, the average iOS app used 72 SDKs and the average Android app used 65 SDKs. 

However, the widespread use of SDKs also introduces security risks, as they can be targets for reverse engineering, data interception, and other attacks. Protecting SDKs is crucial to maintaining the security and reliability of the apps they support, ensuring that sensitive data and intellectual property remain safeguarded. 

It is critical for the health of the SDK ecosystem here in Southeast Asia that SDK developers have access to a strong automated defense solution to protect their SDKs against disruption, reverse engineering, and exploitation by Trojans and other bad actors. This will provide assurance to mobile brands regarding the integrity of financial transactions and the protection of consumers' personally-identifiable information (PII) data when their SDKs are used. 

What are some of the other risks associated with the growing web of mobile apps and functions? 

As mobile apps and their functions proliferate, several risks emerge that pose significant challenges to security and user trust. Mobile SDKs, which are integral to the functionality of these apps, face threats such as reverse engineering and data interception. Attackers often decompile SDKs to steal intellectual property or exploit vulnerabilities, necessitating robust obfuscation and encryption techniques. 

Additionally, sensitive data transmitted via mobile apps is at risk of interception, making encryption both at rest and in transit essential. The prevalence of rooted or jail-broken devices further exacerbates security concerns, as these devices can bypass standard protections, increasing the likelihood of unauthorised transactions and data breaches. 

Regulatory bodies like Visa and EMVco mandate that transactions on such compromised devices be blocked, highlighting the importance of real-time monitoring and compliance. To mitigate these risks, real-time threat detection and response systems are crucial. These systems provide immediate visibility into security incidents, allowing for the swift validation or denial of transactions, thus preventing fraud and ensuring regulatory compliance. 

Automated solutions have simplified the implementation of these security measures, reducing the burden on developers and enabling them to maintain high standards of app security and user experience. 

Do SDKs need more protection?

SDKs are often not adequately protected because many developers prioritise functionality and ease of integration over security. This oversight, combined with the assumption that SDK providers have built-in security measures, can lead to a false sense of security. 

However, unprotected SDKs are targets for reverse engineering, data interception, and other malicious activities, compromising the app’s security and exposing sensitive user data. Protecting SDKs is crucial to preventing these threats and ensuring the integrity of mobile apps. Encrypting data within SDKs, implementing obfuscation techniques, and using real-time threat monitoring can help safeguard against potential attacks. 

Ensuring SDK security not only protects the app and its users but also helps maintain compliance with regulatory standards and builds consumer trust. This protection is crucial for maintaining trust and security in high-stakes environments like financial services, where the safety of transactions and sensitive data is critical. Implementing advanced protection measures is essential for safeguarding SDKs and ensuring the overall security and reliability of mobile applications. 

How can businesses ensure that their apps remain effective and trustworthy? 

By implementing comprehensive security measures and maintaining a focus on user experience. Key steps include securing SDKs through encryption and obfuscation, performing regular security audits, and staying updated with the latest threat intelligence. Real-time threat monitoring and response capabilities are also essential to detect and mitigate attacks promptly. 

Additionally, businesses should comply with regulatory requirements and industry standards to protect user data and privacy. Investing in automated security solutions can help streamline these processes, allowing developers to focus on delivering high-quality, user-friendly apps. 

By prioritising security and continuously improving their defenses, businesses can build and maintain consumer trust while providing effective and reliable mobile experiences. 

Any predictions for 2H24? 

For the latter half of 2024, we expect to see an increased emphasis on real-time threat detection and response in mobile app security. The use of generative AI (gen AI) to enhance security measures will continue to grow, providing more sophisticated and adaptive threat resolution capabilities. Additionally, there will be a greater focus on securing interconnected systems and third-party integrations as the complexity and interdependence of mobile apps increase. 

Regulatory scrutiny will likely intensify, driving businesses to adopt more stringent compliance measures and robust security practices. We can also anticipate advancements in automated security solutions, making it easier for developers to implement comprehensive protections with minimal manual effort. 

Overall, staying ahead of evolving threats and regulatory demands will be key trends as the mobile app economy continues to expand and evolve.

*Appdome’s SDKProtect provides an automated defense solution that shields SDKs from tampering, reverse engineering, and exploitation.

Comments

Post a Comment

Popular posts from this blog

Fortinet enhances FortiRecon to align with CTEM framework

Fortinet, the global cybersecurity provider driving the convergence of networking and security, has turned the FortiRecon platform into a comprehensive solution aligned with the continuous threat exposure management (CTEM) framework. The latest release introduces expanded internal attack surface monitoring, adversary-centric dark web intelligence, and security orchestration, all in a unified platform. These enhancements help organisations proactively identify and prioritise real-world exposures, validate risks like an attacker would, and accelerate response. “CISOs and security teams are overwhelmed by growing attack surfaces and an endless stream of unprioritised alerts,” said Nirav Shah, Senior VP of Products and Solutions at Fortinet. “With the latest enhancements to FortiRecon , we’re giving organisations an attacker’s eye view of their internal and external exposures, backed by AI-powered threat intelligence from FortiGuard Labs, real-world validation, and automated response...
Read more

SentinelOne recognised as a 2025 Gartner Peer Insights Customers’ Choice for XDR

SentinelOne, a global provider of AI-powered security, has been named a Customers’ Choice in the 2025 Gartner Peer Insights ‘Voice of the Customer’ for Extended Detection and Response (XDR) report* – one of only two companies with this distinction. A hundred and forty-four users reviewed SentinelOne's Singularity Platform, and 97% said they would recommend the solution to respond to threats across endpoints with AI-powered security, while 97% rated the solution four stars or better.** “With the growing complexity of cyberthreats, organisations need more than siloed security—they need AI-powered, autonomous protection that delivers real-time detection and response across their entire attack surface. Customers have made it clear that SentinelOne’s XDR provides the intelligence, automation, and efficiency they need to stay ahead of threats and secure their environments with confidence,” said Ely Kahn, VP, Product Management, SentinelOne. Gartner defines extended detection and ...
Read more

AWS: AI adoption grows 20% in Singapore

Image
Amazon Web Services (AWS), an Amazon.com company, has found* that AI adoption continues to accelerate in Singapore. In the past year alone, 27,000 1 Singapore businesses adopted AI for the first time—equivalent to over three new adopters every hour. In sum, nearly 170,000 (48%) of businesses in Singapore have adopted AI 2 , up from approximately 143,000 (40%) a year ago. This represents a 20% year-over-year growth rate, AWS said. AI adoption is the strongest in the financial services industry (71%), followed by the technology sector ( software developers, data analytics firms, cloud service providers, and digital startups) at 70%, and healthcare at 63%. Among Singapore’s businesses that have adopted AI, 82% reported an increase in revenue, at an average increase of 19%, while 90% report significant productivity improvements. A large majority (85%) of those who have adopted AI say the technology is likely to increase their growth in the next year, and 89% expect an average of 17%...
Read more