We're Hiring!

'Mobile First' is for Mobile Secrets, Too

Security concept; Large vault door

This is the second article in a guest blog series from Intellyx. You can read the first article here.

Organizations, such as the Citi Consumer Bank when I was head of security architecture there, adopt a “mobile first” approach to application development. 

“Mobile first” means first developing a mobile application that delivers a great customer experience, and later focusing on developing other customer facing applications (such as a web app).This is because of the growing importance of mobile applications in attracting new customers and retaining existing customers. But this also means a growing importance in securing mobile devices, as well. 

Organizations should really consider prioritizing their cybersecurity programs on mobile devices. Often mobile security is viewed more as a part of the overall security program - an important part of course – but  not often as the first priority. 

Because mobile application adoption rates continue to grow, and mobile devices are connecting to more and more server side APIs, it makes sense to consider prioritizing security on the mobile app.  

What does “mobile first” mean for cybersecurity?

Generally speaking, it means making sure you lock down your mobile apps before you make sure you lock down your server apps. 

Most organizations take the opposite view, and not surprisingly, because the server apps and the data they manage represent an organization's crown jewels. 

However, the greater use of mobile devices, means a greater risk of an incident or breach involving the APIs that access these server apps. 

It’s understandable that many organization's security policies focus primarily on protecting the server side apps.  

However, a mobile device has the secret key to the front door, as it were – the key to the server side APIs. 

The more mobile devices become part of daily life, the more they become significant sources of risk to those server side apps.

Switching the focus from the server side to the mobile device 

“Mobile first” typically emphasizes the customer experience. After all, that’s how consumers tend to judge a business such as a bank these days. 

However, a good customer experience relies upon the responsiveness of the server side APIs that exchange data to and from the mobile app. Any trouble with these APIs, such as a delayed or missing response, and the app is in trouble - no matter how smooth the UX.

And because of the growing number of server side APIs, the security exposure is also growing. Many of these APIs are not locked down properly. 

These APIs often don’t have usernames and passwords and their access keys may be all too easily stolen from mobile device files, server side files, or mobile application source code (which can be decompiled to retrieve them).

The risk of unprotected APIs

As mentioned previously, great customer experiences depend on great APIs. That’s why there is so much investment in the industry now on solutions for API design, API analytics, API management, API testing, and of course API security. 

But how do we know all the APIs are really secure? As much as half of them are not even protected with usernames and passwords. 
Many organizations may view the challenge of protecting mobile application secrets as a mobile only challenge, or think about it in the context of how best to deliver a great user experience (i.e. focusing only on secrets visible to the user). 

But a secret isn't a secret if everyone knows it, or more importantly if anyone can access it easily.

Protecting mobile device secrets

API keys are the secrets that can open locked doors to server side data. That makes them the most important secrets a mobile device holds

Furthermore, organizations often assign privileged accounts to APIs. Hackers breaking into privileged accounts are the ones who create massive breaches and incidents. 

The attack surface of the mobile device is constantly growing because of the explosion of APIs accessible via the Internet. Not protecting API keys is like putting all your money in a safe place in the home but not locking the front door.

Ironically, the same people who would never consider exposing a database secret often don’t think as much about protecting mobile device API secrets.

What can you do about it?

Manage API keys independently from mobile device applications, for a start, the way you would think about managing database secrets independently from server side apps.
Lock up API keys in a secrets vault stored in the cloud. Take the API keys out of the mobile app code and manage them independently and access them dynamically as needed, “just in time.”

Maintain, update, and cycle them safely, with strong governance. Replace them immediately if anyone steals them. 

Use a solution such as Approov Runtime Secrets which allows API keys and other secrets to be completely removed from the app package shipped to the app store. 

Instead, deliver secrets securely to valid app instances at runtime, improving the security posture and significantly enhancing operational flexibility.

The Approov service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. 

Stolen secrets can immediately be rotated without any service interruption and without having to update the apps.

The Intellyx Take

As the ecommerce balance shifts more and more to mobile devices, it makes more and more sense to think about mobile device secrets the same way we think about server side secrets, such as database usernames and passwords, and improve how we protect mobile device secrets, especially API keys.

But for mobile devices it’s not yet common practice, although it probably should be. API keys are quickly becoming one of the most important protection mechanisms for mobile apps and for APIs in general. 

Yet all too often these sensitive and important APIs are not given the protection they deserve and require to avoid incidents and breaches.

A solution such as the one from Approov,  that stores API keys securely in the cloud and downloads them to the mobile device on demand only when needed goes a long way to closing this important security gap. 


Copyright © Intellyx LLC. Intellyx is solely responsible for the content of this article. As of the time of writing, Approov is an Intellyx customer. No AI chatbots were used to write this content.

Eric Newcomer

Eric Newcomer is Principal Analyst and CTO at Intellyx, a technology analysis firm focused on enterprise digital transformation.

He previously served as CTO at WSO2 and at IONA, led Security Architecture for Citi’s consumer banking and was Chief Architect for Citi and Credit Suisse’s trade and investment divisions.

Eric is an internationally recognized expert in transaction processing, integration and cloud migration, having contributed to many industry standards including OSGi, Eclipse, SOAP, WSDL, UDDI, AMQP and more. His textbooks, including Principles of Transaction Processing, Understanding Web Services, and Understanding SOA with Web Services are used at universities around the world.