Whether you are a brand new company bringing a mobile-centric digital service to market, or an established company introducing a new mobile offering, there will - hopefully - come a time when someone asks “When do we add security into our app and onto our APIs?” In this article we explore this question and provide some guidance on how to reach the right conclusion for your business.
Clearly, after launching a new company or a new digital product, there is an understandable desire to grow the revenue associated with the business as quickly as possible. Developing and deploying new features to enhance the launch capabilities of the product based on customer feedback is usually the number one priority. After all, once your brilliant new idea is on the market then the clock is ticking for your competitors to create their version of your idea. You’ll be feeling the pressure to capitalize on your first mover advantage and stay ahead of those pesky wannabes.
Security will be on your mind too but it may naturally find itself always outside of your top 5 list of things to do. After all, until your business reaches critical mass, there would be no reason for hackers to pay attention to it, right?
Well, let’s think this through…
Looking Through a Technical Lens
The Development team and the DevOps teams will of course be aware of the need to have good security in their mobile apps and their associated APIs. It will be in the back of their minds but deployment of base functionality, dealing with early customer feedback and producing advanced features will be in the front of their minds. And they will be regularly encouraged and reminded of this by management too.
Therefore, they will tell themselves that it is OK to delay implementing security because:
- There are very few downloads of your mobile app from the app stores
- Your service has not been widely launched yet so no-one knows about the your APIs
- There is limited sensitive data at risk on your platform because there are few customers using it
However, Developers and DevOps engineers need to reconsider their position because if the mobile app can be downloaded from the app stores then hackers can do it too, and they can spend as long as they like reverse engineering your code and studying your API protocol. Also, APIs and endpoints on the Internet, even if you haven’t told anyone about them, are easy to discover and will be probed and tested.
Figure 1: Mobile Apps: Gifts that keep on giving (source: Approov.io)
Even in the early days of the development and deployment of your mobile platform, you are already exposing business logic, credentials and communication protocols to the world. It’s important for stakeholders to realize this and to reconsider the priority of adding best practice security layers.
Looking Through a Commercial Lens
The Sales and Marketing teams may be less aware of the specific security threats associated with running a mobile-centric business but they will certainly acknowledge that fraud and data scraping are undesirable for the business, although they probably don’t ask the difficult questions about what mitigations are in place. Even if they occasionally do think about security arrangements, they will quickly conclude that it can be dealt with ‘later’ because:
- Nobody will attack a business with very few customers and transactions
- Heightened security will probably create friction for end users; highly undesirable when there is 100% focus on customer acquisition and retention
- Return on investment calculations for new features will always look more attractive than similar analysis of the benefits of implementing better security
Even if the bad actors don’t attack you today, they are already preparing and will be ready to apply their scripts and bots against your platform at the worst possible moment for you, e.g. in the middle of your launch or during a critical time period such as Black Friday.
So What’s the Right Answer?
As stated above, the adoption of security products is an insurance policy. It provides insurance against attacks which cause business disruption through service downtime or brand damage through data breaches. This is well understood.
What is less well understood is that the implementation of state-of-the-art security best practices can directly and specifically make attackers give up and go somewhere else. Yes, these bad actors are smart and resourceful. But they are also efficient and pragmatic. Let’s imagine that your closest competitor has excellent security in place and you have average security within your offering - which business do think the attackers will target? Of course they will look at both but they will always, with very few exceptions, go for the lowest hanging fruit. It makes sense, doesn’t it?
The bottom line is that using good quality security solutions has the short term and immediate benefit of diverting bad actors away from your business and towards the many other businesses who still have security at #8 on their ‘to do’ priority list. That fact, coupled with the clear commercial and operational benefits to your business of being well protected, shows that it’s never too early to add security layers to your shiny new mobile app and the APIs that service it.
If you have found this blog, check out our campanion article to read about how to add security to your new mobile app.