Jon Samsel, SVP Global Marketing at Verimatrix, recently sat down with Keir Storrie, Senior Android and iOS Cybersecurity Pre-Sales Engineer at Verimatrix. They discussed what’s happening in mobile app protection, compliance rules, and more.

Protecting Android and iOS apps

Jon: Keir, thanks for joining me today. Securing mobile apps seems to be a hot topic these days—what’s driving the uptick in conversations?

Keir: It’s several things:

  1. New rules: Industries like fintech, ecommerce, and manufacturing have lots of new compliance regulations to follow—some even make app security mandatory.
  2. Passing pentests: More businesses need their Android and iOS apps to pass security audits and penetration tests to stay compliant.
  3. Data protection: Apps are handling more personal and financial data than ever, so keeping it safe is crucial.
  4. Reputation risks: A security breach can really harm a company’s brand and trust with customers.
  5. Rising threats: Criminals are constantly coming up with new ways to exploit vulnerabilities, and mobile apps often end up being easy targets.

Jon: How are compliance requirements shaping app security across different industries?

Keir: App protection is being impacted all over the world, across multiple industries, such as:

  • Fintech and banking: Mobile apps that handle payments and other financial transactions need to comply with rules like DORA and PCI-DSS.
  • Automotive: Self-driving and connected vehicles are often powered by apps, and the safety and security standards surrounding these apps can have life & death consequences if exploited.
  • Aerospace & aviation: Mobile apps in this sector manage a wide range of critical tasks, including navigation, weather monitoring, flight operations, crew management, passenger services, and more.

Jon: What’s happening with penetration testing? Why does it seem to be growing in importance?

Keir: Pentesting, which is basically simulating a cyber attack to find weaknesses, is crucial because:

  • It helps spot vulnerabilities before real attackers do.
  • It’s an essential part of the app security audit approval process.
  • It provides another security layer that’s critical for building trust.

Jon: What sensitive data do apps handle?

Keir: More sensitive information passes through apps than ever before.

  • Location data
  • Patient record data
  • Personally identifiable information (PII)
  • Corporate IP
  • Money transfer and financial transactions

Apps are valuable targets for bad actors, which makes securing them extremely important.

New & existing regulations

Jon: Let’s discuss the changing regulatory environment. What’s new, or at least on the minds of app developers these days?

Keir: It’s a complex and growing list of rules and regulations to navigate.

  1. DORA: The Digital Operational Resilience Act in Europe, which goes into effect in January 2025, is all about building more resilience into the financial sector, impacting apps, APIs, and the web.
  2. CISA OMB Attestation Mandate: Designed to enforce cybersecurity standards for software suppliers to U.S. federal agencies.
  3. DMA: The Digital Markets Act in the EU regulates the big digital platforms to try to bring fair competition to the table, including provisions for integration of third-party app marketplaces.
  4. CRA: Europe’s Cyber Resilience Act sets high security standards across digital products, including mobile apps.
  5. GDPR: GDPR impacts apps handling EU citizens’ data.
  6. PSD2: Apps involved in financial transactions in the EU are impacted by this law.

Jon: Are these regulations impacting the day-to-day lives of app developers?

Keir: That’s what developers tell me. Here are some ways people are being impacted:

  • Costs are rising: Adding security, conducting pentesting, and ensuring compliance can add time and money spent on development.
  • More cyber-focused resources required: Developers now need to work more with legal, compliance, and security experts from other departments, or even external experts.
  • Ongoing upkeep: Working compliance into DevSecOps requires an ongoing commitment.
  • Customization by country: Slightly different app versions may be needed to comply with different regions to comply with local laws, and most developers are not equipped to manage and scale this.

Jon: Are there any upsides you can see?

Keir: Sure. Regulations that impact apps, APIs, and the web can be a good thing.

  • They can level the playing field via unified standards.
  • Security-compliant mobile apps can be seen as safer by users.
  • They promote best practices in DevSecOps that help us all.

Safety enhancement gains

Jon: Let’s shift to the topic of risks businesses face.

Keir: Here are a few that come to mind:

  • If you ignore compliance rules and regulations, you can risk being fined.
  • You also open yourself up to security breaches, which can result in huge business losses.
  • Cyberattacks can slow or halt your business operations, resulting in lost customers and revenue.

Jon: Can you share a few examples of app, API, or web attacks in the news?

Keir: Here are three:

  • Hackers accessed data of over 50,000 mobile users at Revolut.
  • Zombinder malware infected over 100,000+ Android devices via third-party app stores.
  • Robinhood was attacked, exposing millions of app users’ data, leading to angry customers and increased regulatory oversight.

Jon: How can developers, in particular, app, API, and web developers, reduce cyber risks?

Keir: It’s an ongoing battle. Here are a few tips:

  • Strengthen your app, API, and web security with layered solutions.
  • Audit and pentest regularly.
  • Get smarter about regulations and how best to comply.
  • Don’t get complacent about security; stay on top of the latest attack methods.
  • Establish a threat monitoring and response mechanism.

Jon: How do regular cybersecurity audits and pentests actually help?

Keir: Security audits usually involve a thorough review of an app’s security measures, mainly conducted by third parties. They examine code quality, data processing, authentication, and even encryption. Pentesting involves ethical hackers trying to attack the app’s security, revealing unknown vulnerabilities. Both should be performed regularly.

OWASP Top 10 mobile app vulnerabilities

Jon: Developers are often asked to make sure app security addresses the OWASP Top 10 mobile vulnerabilities—how does Verimatrix XTD help?

Keir: Verimatrix XTD empowers developers to address OWASP’s top 10 vulnerabilities with features such as:

  • Code obfuscation to safeguard against reverse engineering, addressing OWASP’s “insecure design.”
  • RASP to detect and stop attacks in real-time, helping with “injection” and “security misconfiguration.”
  • Anti-tamper to ensure app, API, and web integrity, tackling “software and data integrity failures.”
  • Continuous monitoring to detect potential threat patterns and signals, supporting “security logging and monitoring failures.”

Jon: Tell me about ISO certifications—how are they relevant to this discussion?

Keir: As far as I know, Verimatrix is one of the few mobile app security companies that is ISO-certified. In 2024, we renewed our ISO 9001 and ISO 27001-2022 certifications, which have to do with ensuring quality management and information security best practices. These certificates are extremely important in business sectors such as banking, fintech, insurance, legal, manufacturing, e-commerce, and automotive.

When a vendor is ISO-certified, it means they have demonstrated they can provide:

  • Consistent, reliable products and services at a higher standard than most.
  • Enhanced security processes are built into the fabric of their operations.
  • Strong data protection is mindset built into all products and services they deliver.

Jon: Can you share an example of how Verimatrix went above and beyond for a customer when it came to expert advice having to do with either regulations or certifications? 

Keir: Several months ago, we assisted a top 5 bank with a hugely popular mobile app that was struggling with PSD2 compliance. Verimatrix XTD was employed to wrap their app with layered protection and monitor their connected ecosystem for threats. XTD not only improved their authentication, we also helped bolster their transaction security. This helped them meet PSD2 requirements and significantly increased their overall security posture. It was a big win.

Jon: Any final advice you have for developers dealing with the plethora of new rules and laws that are impacting apps, APIs, or the web?

Keir: Yes:

  • Build security in from day one—don’t bolt it on later.
  • Stay on top of new regulations; ignore at your peril.
  • Try out Verimatrix XTD—it may be just the security compliance solution you need.

Jon: It’s been a pleasure speaking with you, Keir!