As the year draws to a close, it’s an opportune moment to reflect on the future of mobile app security and consider Guardsquare’s recommendations for developers and security experts in 2024. Last year, we shared our predictions for mobile app security trends in 2023, highlighting the emergence of new vulnerabilities and a growing emphasis on adopting established mobile app security standards like OWASP.
The global usage of mobile applications is on the rise, with users averaging 5.5 hours daily on apps in 2022; projections suggest this figure will increase even further by the end of 2023. This surge in usage coincides with an upsurge in newly identified vulnerabilities, underscoring the necessity for a robust security strategy to safeguard mobile applications.
To assist organisations in navigating these shifting risks within the threat landscape, we have outlined four key trends that we anticipate will shape the industry in 2024, along with strategies for proactive engagement.
The first prediction indicates that developers will encounter difficulties in striking a balance between malware protection and user experience. In recent years, there has been a notable rise in mobile malware attacks and instances of fraud involving mobile applications, especially within the financial sector.
From January 2022 to February 2023 alone, fraudulent activities related to global mobile finance apps were estimated at around $2.64 billion—this includes threats like Xenomorph Android malware targeting banking and cryptocurrency applications. The spectre of mobile malware remains ever-present; many Android apps feature characteristics that can create technical vulnerabilities (such as overlays and accessibility options) which are susceptible to exploitation by malicious software.
The ongoing threat of mobile malware remains a significant concern, particularly for many Android applications that incorporate features which may create vulnerabilities, such as overlays and accessibility options. These weaknesses can be targeted by malicious software. In response to the malware issue, some security companies advocate for straightforward protective measures that aim to block these vulnerabilities exploited by malware. For instance, one proposed solution might involve turning off accessibility features within an application. While this could reduce the misuse of such features, it would also restrict access for numerous users with disabilities. Turning off these functionalities is seldom a viable option for mobile applications due to ethical considerations and potential legal consequences. Instead, developers should focus on integrating security measures that maintain accessibility.
Another method of addressing vulnerabilities includes restricting an app’s ability to use screen-sharing or screenshot capabilities. Although this could mitigate specific threats, it risks diminishing user experience and complicating customer support interactions. As some developers resort to overly broad protective strategies like those mentioned earlier, many users will likely voice their frustrations regarding subpar app experiences or privacy concerns.
Ideally, this tension will foster communication between developers and security experts in order to identify more effective strategies for mitigating these risks without compromising user experience.
To better safeguard their applications against malware threats, we advise mobile app developers to take several proactive steps: first, gain a thorough understanding of the attack methods employed by malware and concentrate on implementing countermeasures tailored to those specific risks; second, where feasible, establish multiple layers of defence around your application; finally, prioritise your security efforts on isolating sensitive components within your app rather than imposing unnecessary restrictions that could adversely affect the overall user experience.
Concentrate your security initiatives on identifying and safeguarding your application’s critical components rather than imposing excessive protections that might hinder the user experience. Implementing server-side threat monitoring can provide valuable insights into potential threats, enabling you to make well-informed decisions about appropriate countermeasures and accurately assess the malware risk associated with your applications.
As we move forward, it’s anticipated that an increasing number of app developers will turn to threat data and its insights to shape their mobile app security strategies. Traditional approaches often depend heavily on client-side feedback—such as reports of crashes or performance issues. However, this method falls short of providing comprehensive information regarding attempts at reverse engineering or tampering with your applications. Lacking this crucial data makes it challenging to enhance security measures in future updates.
With the growing recognition of mobile threat monitoring’s advantages, more organisations are expected to utilise threat data to guide their application protection strategies effectively. Developers should contemplate transitioning some aspects of their reactive strategies to a server-side approach, which allows for greater flexibility in data correlation and dynamic response control. For instance, a banking application could analyse collected data to assign a fraud risk score to a user account or temporarily suspend access until it has been verified by the fraud department—ultimately leading to an improved user experience.
We advise mobile app publishers to integrate runtime application self-protection (RASP) checks throughout their applications and leverage the gathered threat intelligence for several key purposes: Firstly, enhance your application’s security posture by incorporating insights from RASP checks into a threat monitoring system that can help identify attack patterns and bolster security measures in subsequent releases. Secondly, channel this threat intelligence into actionable strategies that further strengthen your app’s defences against emerging threats.
Forecast 3: Google will persist in its initiatives to enhance trust and security within the Android ecosystem. Over time, Google has systematically improved Android’s operating system and APIs to mitigate the potential for misuse. Notably, they have introduced APIs 9, 29, and 31, each contributing varying degrees of security concerning overlays. API 31 stands out as the most robust option, enabling developers to conceal and automatically eliminate non-system overlays. However, despite these advancements, addressing security vulnerabilities in mobile applications necessitates a collaborative approach to security. This implies that while developers can leverage Google’s updates, they must also implement their measures to safeguard their applications.
Looking ahead to the coming year, we anticipate ongoing enhancements to Android’s operating system alongside further security protocols being rolled out in the Google Play Store aimed at fostering increased trust and safety within the ecosystem. Indeed, Google has already unveiled a significant update for Google Play Protect that introduces real-time scanning capabilities designed to identify emerging threats in applications. Furthermore, Google is enhancing its Data Safety section by providing clear labelling for apps that have passed independent security evaluations based on industry standards.
To bolster protection efforts, developers should adopt multiple layers of code hardening and Runtime Application Self-Protection (RASP). Additionally, employing various analysis techniques throughout both the development phase and runtime will ensure thorough testing of app code. Monitoring these aspects will be crucial as we move forward into this evolving landscape of mobile application security.
Forecast 4: An increase in collaboration among vendors to support the OWASP MAS initiative. Over the past two years, the OWASP MAS project, along with its updated Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG), has made significant strides through various announcements and targeted support efforts. Until now, a limited number of contributors have been at the forefront of revitalising this project.
However, in the last year, there has been a noticeable shift as stakeholders from the security community, commercial enterprises, platform providers, government bodies, and others have begun to engage more actively with the development of both MASVS and MASTG. A noteworthy example is the App Defence Alliance’s rollout of the Mobile App Security Assessment (MASA), which enables developers and app publishers to validate their applications against OWASP’s established standards independently. As more vendors and experts contribute to the MAS initiative, it is poised for increased momentum and visibility, ultimately enhancing its value and leading to broader acceptance of mobile 
application security standards.
We advise app developers to view MASVS and MASTG as essential tools when formulating a mobile app security strategy. This strategy should encompass utilising security solutions that align with OWASP’s recommendations for MASVS security measures—such as DexGuard and iXGuard, which offer comprehensive code hardening techniques like obfuscation and Runtime Application Self-Protection (RASP) in line with OWASP’s resilience criteria. Additionally, AppSweep provides complimentary security scans while supporting best practices advocated by OWASP.
In summary (TL;DR), as we approach the end of 2023, it is an opportune moment for reflection on future trends in mobile app security for 2024—what considerations developers and security professionals should keep in mind moving forward. Guardsquare anticipates that next year will see heightened attention on malware defence within mobile applications, increased dependence on threat intelligence data, and advancements in Android security measures, alongside growing endorsement for the OWASP MAS project. We encourage mobile app developers and cybersecurity experts to maintain their focus on protecting mobile applications through rigorous testing and monitoring throughout 2024.
Maxthon
In today’s digital age, safeguarding your online banking information while using the Maxthon browser is crucial. One of the first steps you should take is to create strong passwords. Aim for unique and complex combinations that include uppercase and lowercase letters, numbers, and special symbols. Steer clear of easily guessable details such as birthdays or pet names to bolster your security.
Next, consider enabling Two-Factor Authentication (2FA) if your bank provides this feature. By activating 2FA, you add an extra layer of protection; typically, this means you’ll receive a code via text or email that you must enter alongside your password.
It’s also essential to keep your Maxthon browser updated. Regularly checking for updates ensures that you benefit from the latest security patches and enhancements designed to shield against vulnerabilities.
Another essential practice is to clear your browsing data frequently. By regularly deleting your history, cache, and cookies, you eliminate any stored sensitive information that hackers could potentially exploit if they gain access to your device.
Utilising Maxthon’s privacy mode can further enhance your safety while conducting online banking transactions. This feature allows you to browse without saving data like cookies or site information from previous sessions.
Additionally, consider installing reputable security extensions or antivirus plugins tailored for Maxthon. These tools can offer real-time protection against phishing attempts and malware threats.
Always remain vigilant against phishing scams. Before logging into your banking account, double-check the URL of the website you’re visiting. Be cautious about clicking on links in emails or messages claiming to be from your bank unless you’re certain they’re legitimate.
Finally, remember to log out of your online banking session once you’ve completed any transactions. This simple action helps prevent unauthorised access in case someone else uses your device afterward.
By adopting these practices while using the Maxthon browser, you’ll significantly strengthen the security of your online banking activities and protect yourself from potential threats.
