The marketplace for mobile apps is a broad and highly competitive one. There are millions of apps available on Apple’s App store, Google Play, and within private enterprise app stores. Expanding market demands continue to drive the pressure to innovate. New iOS and Android updates and mobile device releases, along with myriad apps from companies vying for their customer’s attention, are creating shorter app release cycles.

The process of releasing apps quickly to assuage market demands can lead to security issues. Bringing apps to market quickly, while trying to deliver that all-important optimal user experience, often has mixed results that can actually create negative user experiences. Mobile app developers must have the proper balance of delivery with the assurance of security and privacy built- in from the start.

Cloud-native development with flexible software architectures can meet fast time-to-market goals, but still require proper security testing. Conversely, legacy processes with code written without unit testing can take months, which is unacceptable in today’s digital world. New apps, developed to compete in today’s era of digital transformation, regardless of development process, require rigorous security testing. 

When it comes to the user experience, app security is as important as usability. If security is too arduous and time-consuming, users will abandon them. If security testing takes too much time and becomes unmanageable, developers will limit their testing regimen.

Leaky apps put businesses and consumers at risk

According to the Verizon Mobile Security Index 2021 report, one in twenty-five apps downloaded from public and private app stores leak sensitive credentials, email addresses, user ID’s, credit card information, and location data. Bad coding and shortcutting on security testing are partially responsible for this. Additionally, over half of the Verizon report respondents said cybersecurity challenges hold back their digital transformation initiatives. Market pressures continue to work against development cycles. For many enterprises, the mounting pressure to continuously deliver new apps and updates has put time-to-market, and security and privacy, at odds. This can mean choosing between time-to-market and security, which often comes down to limiting app security testing.

For companies to remain competitive, their developers must meet rapid time-to-market requirements, while delivering mobile apps with solid security and privacy. The costs of not fully testing mobile apps can easily outweigh the costs of proper testing. Catching bugs in the earliest stages of the software development life cycle, or SDLC, can save money, brand equity, and user loyalty, compared to implementing security fixes after apps are in the hands of users.

The high cost of shortcuts

Sacrificing the effort necessary to provide a secure user experience is like "throwing the baby out with the bathwater." Security is one of the most important functions of a mobile app. Shortcuts that can be taken to speed up the process are one of the problem areas within the DevSecOps and the Agile development process. Unfortunately, vulnerability testing is often one of the security testing functions that gets pared down, or eliminated completely. A similar issue can occur with no code and low code development, where companies have little to no visibility into the SDLC or DevSecOps process, because it’s outsourced to third-party software developers. 

Processes and solutions for secure app development

Agile software development methods and continuous integration and delivery, or CICD, help bridge the gaps between development and operational activities, by automating the building, testing and deploying of apps.

Automation can help developers properly balance time-to-market delivery with effective security testing. The SDLC is the process of planning, creating, testing, and deploying an application. It consists of six stages, including requirement analysis, design, development and testing, implementation, documentation, and evaluation. The idea behind SDLC, and for that matter DevSecOps, is that apps need security built into their development from inception.

Software development engineers are tasked with using any and all prescribed secure development tools at their disposal to unit test software. For example, penetration testing software can be accomplished by installing the app within customer-duplicated environments, and running tools like Rapid7, Burp Suite, and Nessus visibility scanners, and fuzzer tools like Synopsis Codenomicon, HCL AppScan and others to discover vulnerabilities before apps are released.

Developing secure mobile apps requires a synergistic ecosystem

Many enterprises develop their own mobile apps inhouse, or use third-party software services. Mobile apps continue to grow unabated, with powerful new capabilities. The need to quickly release them can put development teams in precarious positions. Even with security tools available, they don’t always use them. The gap between developing and testing app security, versus how quickly organizations can get them in front of their users, is a growing divide.

There is no single product or development process solution. It is a matter of being deeply committed to providing secure apps that protect business assets and user privacy. This is ultimately what is best for all concerned parties. This includes companies that need to protect their systems and data, DevSecOps that need to appropriately manage the product lifecycles, and users that depend on secure apps to protect their data.

How can Ivanti help? Ivanti incapptic Connect employs the zScan feature that will scan the iOS or Android app for security and privacy vulnerabilities before the app gets distributed for public consumption. Learn more about Ivanti incapptic Connect.