Join Sean Martin as he discusses crucial insights into mobile app security with Brian Reed, Mobile Security Evangelist, and Chris Roeckl, Chief Product Officer at AppDome, sharing findings from their annual survey created in collaboration with OWASP on consumer expectations. Discover how mobile security impacts consumer loyalty and learn actionable strategies for integrating robust security measures into app development to foster trust and advocacy.
In the latest Brand Story episode, host Sean Martin chats with Brian Reed, Mobile Security Evangelist, and Chris Roeckl, Chief Product Officer at AppDome, during the OWASP Global AppSec event in Lisbon. The episode dives into pivotal aspects of mobile app security and consumer expectations.
Brian Reed articulates how AppDome collaborates with OWASP to tackle mobile app security challenges. He underscores the significant role consumers play in these endeavors. According to AppDome's annual survey, consumer feedback is indispensable, revealing that a staggering 97% of consumers would abandon a brand after an insecure app experience, while 95% would advocate for a brand offering a secure experience. This highlights the stark consequences of neglecting mobile security.
Chris Roeckl elaborates on how AppDome’s annual survey, spanning four years, has amassed data from over 120,000 consumers across 12 countries. This wealth of information provides a clear trend: consumers increasingly prioritize security, particularly in banking, e-wallet, healthcare, and retail apps. Interestingly, while social media is not at the forefront of security concerns, it is rapidly becoming a focus area as users grow more conscious of account security and privacy.
The discussion brings to light how brands can effectively communicate their security protocols to consumers. Reed and Roeckl suggest transparency through dedicated web pages, direct email outreach, and in-app notifications. This communication helps build trust and reassures consumers that their security concerns are being addressed.
The conversation also touches on the integration of security into the development lifecycle. Developers often face the challenge of ensuring robust security without compromising the user experience. Reed mentions the importance of making security processes seamless and non-invasive for developers. By leveraging machine learning and AI, AppDome aims to automate many security tasks, allowing developers to focus on creating innovative, user-friendly applications.
Moreover, Roeckl points out that a holistic approach is essential. This means incorporating input from various teams within an organization - from product leaders focusing on user engagement to engineers ensuring crash-free applications and cybersecurity teams safeguarding data integrity. This collaborative effort ensures that the final product not only meets but exceeds consumer expectations.
The insights shared in the episode are a call to action for businesses to prioritize mobile security. With six billion humans using mobile apps globally, the stakes are higher than ever. Brands must recognize the direct correlation between secure mobile experiences and customer loyalty. By investing in robust security measures and effectively communicating these efforts, businesses can foster a secure and trustworthy environment for their users.
Listeners are encouraged to download the full AppDome report for a deeper understanding of consumer attitudes towards mobile app security. This empathetic report offers valuable insights that can help developers, product managers, and cybersecurity teams align their strategies with consumer expectations, ultimately leading to safer and more secure mobile applications.
Learn more about Appdome: https://itspm.ag/appdome-neuv
Note: This story contains promotional content. Learn more.
Guests:
Brian Reed, SVP AppSec & Mobile Defense, Appdome [@appdome]
On LinkedIn | https://www.linkedin.com/in/briancreed/
Chris Roeckl, Chief Product Officer, Appdome [@appdome]
On LinkedIn | https://www.linkedin.com/in/croeckl/
Resources
Learn more and catch more stories from Appdome: https://www.itspmagazine.com/directory/appdome
View all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
2024 AppDome and OWASP Mobile Consumer Cyber Security Survey | A Brand Story Conversation From OWASP AppSec Global Lisbon 2024 | An AppDome Brand Story with Brian Reed and Chris Roeckl | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode. I'm on location at the OWASP Global AppSec in Lisbon, and I'm here talking about all kinds of cool things, AppSec, DevOps, DevSecOps, uh, everything, and everything bringing the user experience in a safe and secure manner. So, so guess what?
Businesses can generate revenue, right? And hopefully protect that revenue and customer trust along the way. Um, I'm thrilled to, uh, meet a, or learn about a new company and, uh, do that through an old friend and make a new friend in the process. So it's an exciting day for me. Brian Reading and, Chris Reckl are joining me from AppDome. How are you guys?
Brian Reed: We're great.
Sean Martin: , I want to, before, I know you guys wrote a report around, uh, consumer expectations around mobile app security.
And, uh, it's an intriguing topic. I think we've talked about this in different ways over the years. [00:01:00] But the research you did, I think, is going to be very telling. And, um, but I first want to hear a little bit about your roles. Brian, this is, this is, uh, This is new for you, fresh out of the gate.
Brian Reed: So
it's good to be with you again, Sean.
Uh, we worked together in a former life. We've been mobile guys for a long time in the mobile security world. Uh, I've made my journey around since BlackBerry days. And these days, I recently joined a company called AppDome that is really solving the mobile app security problem for real. I'm excited to be joining here with Chris and the team.
AppDome has now become a member and sponsor in the OWASP community. We're participating in the OWASP mobile spec work. I've been working with Carlos and Sven on the spec for years. And here we were able to partner with OWASP on a really cool survey. So I'll pass it off here to Chris to introduce himself.
Chris Roeckl: Thank you for having me. I'm Chris Ruckel. I'm Chief Product Officer here at AppDome. I've actually been at AppDome since the start almost eight years ago. Um, done. Product work, but also ran our customer team did some [00:02:00] early selling to prove, uh, prove the technology for our venture capital back partners and lots of other things here.
So glad to be here again and to talk to you about this, uh, survey that we do every year.
Sean Martin: Yep. Love it. And Brian, you mentioned for real and, and in real time at Runtime .
Brian Reed: Yeah. Real at runtime. Yeah. So when you, when you think about, um, the, the OAS community we've been working with. Security teams, development teams and architects for years to bring a higher quality of security, the application community and ultimately the mission of a loss is the end of insecure software, right?
All our software will become safe. And it's always been a challenge for Working with developers to write secure code and working with security teams to test it properly and all the iterative cycles and as DevSecOps happens, everything happens faster, faster, faster, and so a lot of what's happening now is more insecure software and the tools are finding more vulnerabilities automated in the pipeline and the developers are struggling to fix what they can find and you've kind of got this really bad yucky looking Mobius loop, right?
[00:03:00] And so, Um, as I've worked in mobile app sec now from being with testing vendors and the pen testing space and development tools, I think we've really found something interesting here at abdomen that we'll talk about in a little while, but the genesis of the report we're going to talk about today has to do with.
We recognize that. Oh, wasp is the leading community that participates with app second development and is representative of that. And so we do a survey every year here at AppDome that Chris will talk about. And part of that survey was to bring the consumer voice into the OWASP community. So that the OWASP community, the security professionals here, the developers, the architects, they can bring that back into their business and say, Look, these Hundreds of thousands of consumers are saying security, privacy, anti fraud, compliance are critical.
They're expecting us to address this. Now the consumers are at the table and it's not just sort of security and development kind of banging heads and trying to figure out what to do. So I think it's it's a really great moment here for the for it. We're excited to be launching it here and a wasp Lisbon.
Sean Martin: Yeah, perfect. And Chris, tell me, [00:04:00] tell me about the how long you've been doing the report now.
Chris Roeckl: So this is our fourth report. Okay. Right. So we've interviewed I think now 120, 000 consumers over the course of four years in 12 countries, right? So we, uh, spanning the world, right? So we have a really good view of of trends in terms of what consumers are looking for in terms of Security fraud and privacy protections, but we also have good trend lines, right?
That's the, you know, as we've done this year after year after year, we see the trends and the trends are more security, like consumers are saying, Hey, wait a minute. I want a safe experience. And that's really important for mobile brands to hear, right? So we've got lots of data on what that means.
Sean Martin: Yeah. Because one of the, as I alluded to earlier, I think one of the things that I've. Heard. And I like this trend of security is a differentiator for the business in many cases. [00:05:00] Um, but I, I have a sense that it's really around the B to B, right? Business partners working together, having, having requirements that you can only get the deal if you have a sock to, for example, something like that.
And I love that you took it to the, to the consumer. Cause ultimately that's all those B2B experiences have some, well, ultimately. Some consumer play to them, right?
Chris Roeckl: Well, let's, let's get to the punchline then first. So, um, consumers will vote with their voice. And what that means is if, if consumers are given a secure experience with the mobile brand, 95 percent of them say that they will become brand advocates.
That, um, they will go out and promote that brand, right? And with, [00:06:00] with more than half, like 53 percent saying, I'll even go so far as to do the review. We're all go so far as to post on social media that I'm having a safe experience with you. Um, the downside is punishment is more brutal and more swift, right?
So in an insecure experience. We're not secured experience. 97 percent of consumers say they will abandon the brand. Right. And that 74 percent of consumers will go tell their friends to abandon the brand. Right. So there's, there's a sharp consequence here, right? Because what we've seen over the last several years is that.
Uh, you know, when we started four years ago, it was about kind of security topics. Hey, making sure the network connection, you know, the connection network connections are safe and stuff like that. And [00:07:00] it's just continued to escalate because consumers are hearing more and more in their everyday lives about more and more attacks, fraud, social engineering.
They're hearing about these topics and it's making them hyper aware of the fact that they're sharing lots of information in app through app. And they want to make sure that that information is kept private. You know, that they, that they don't, uh, have to worry about fraud. That fraud can be prevented versus being a reimbursement exercise.
Right?
Sean Martin: Do you have any insights on the types of apps? Yes. Um, I, I mean, social media apps, eh, one could say who cares, right? One could say, yeah. And you might have something to say on that. But then I think about banking apps, healthcare apps, right, going to see the doctor, um, pharmaceutical app, or I should [00:08:00] say retail apps to get your, your Medicaid, whatever it is, right?
Chris Roeckl: Yeah, so the, great question, and we do. Right. So at the top of the list are banking and e wallet apps. Right. So those kind of are at the top of the list of, Hey, I want to make sure I have a, a really secure foundation, uh, for an, uh, for an app experience, uh, mobile betting and gaming, number three, uh, healthcare, number four, right.
And retail, uh, number five. Right. So those are the ones that, that folks zero in on. What is interesting about social media? Social media. You're right. It's not at the top of the list of saying, Hey, I want the most, uh, most safe experience, but it was one of the fastest growing areas for adding security, right?
So people are becoming more aware, more conscious about, Hey, wait a minute. What's, what's the information that I'm sharing within the social media world from a, from a login and privacy [00:09:00] perspective, right? What they're sharing is what they're sharing. Right, but the basics of, hey, I don't want somebody to compromise my account, right?
Those sorts of basics are starting to show up in social media, which has tended to be, you know, at the lower end of our scale.
Sean Martin: So on that note, I don't know if you have any insights into the understanding of what security means by consumers. That, to your point, account takeover is just one, right?
Chris Roeckl: Um, but they'll never think of it as an account takeover.
Right,
Sean Martin: right. So, so what, what, how do they picture it? Those are our words. Those are our terms.
Chris Roeckl: Right, exactly. So we tend to zero in on how we describe things in the report and, uh, in a plain language way, right. And all the different languages that we translated into, right. So they, so they express these things as, you know, Hey, how, how safe is my login?
Right. Um, the actual authentication [00:10:00] experience. What do you do with my data? Right. Have you ever, you know, make sure that the account cannot be compromised? Right. But all of those things show up as top things they're worrying about. Right. So when you translate it down and then that information comes back up, it comes back up as account takeovers, you know, uh, PII, PII, all those sort of things.
Uh, three letter acronyms that we have here in security land, uh, are meaningful to the consumers at the other end when you tell them what it means in a plain language expression.
Sean Martin: It's interesting, and I don't, do you have any customers or examples of brands that do well? I don't know if you want to name names or not, but.
Chris Roeckl: We don't, we don't do anything that's, that's brand specific, although we have some, we have, uh. learnings that I think are interesting for everybody out there, which is, um, [00:11:00] you know, doing some sort of, uh, average advertising may be too strong, but some sort of marketing outreach to mobile brands about security.
This is something that actually this, this survey informed many of our app dome customers to do this. And they've seen very positive results by saying, by, okay. By not doing it in release notes, everybody thought, okay, I'll just put, you know, Hey, I've improved security in the release note, but I think it's only like dorks like you, me, and Brian who actually read the release notes.
Um, and so we had a couple of our customers in Latin America say, well, I'm going to try, um, uh, email outreach just to say, Hey, here are the things that we're doing in terms of mobile app security. That's worked really well. We've had other customers just have a dedicated page. Right. So they have pages for web security, but they didn't have anything for mobile.
Right. Right. So you just add mobile. I mean, it's not that hard. Right. [00:12:00] And you can, you can,
Sean Martin: if you're not doing it, it's hard.
Chris Roeckl: Well, if you're not doing well, for sure, it's hard at that moment. Um, and one of the things that the reason I'm going down this path is one of the biggest jumps that we've seen over the last several years, uh, uh, is we ask, you know, We ask about what are the things that, that consumers are concerned about most when it's, when they're thinking about fraudulent activity or something like that.
And one of the responses is, uh, well, we think our developers don't care about securing the app. Okay. So back in 2021, that was, you know, 6 percent of the people said, yeah, that's, that's actually a thing. Well, now it's one in four consumers, believe it.
Sean Martin: Wow.
Chris Roeckl: Right. So, so the ability for the brand to be able to take, to take that moment to actually express that they're concerned about a safe [00:13:00] user experience.
And also it translates into an in app experience. How can you, how can you represent to the consumer in a positive way that you're, that you're concerned about their safety and that you're gonna, um, if there's something going on on the device, it's not a, Oh my, you know, it shouldn't be a red X saying, Oh my God, your devices, whatever, we're going to close it.
It should be something green, right? This is, Hey, what we're trying to do is, you know, make sure that you have a good experience and that we have a good experience. Right. And so that's, that's what drives a lot of, a lot of what we do at Apto is not only making sure that we can provide defense, you know, defenses for, Mobile last apps, but to make sure that the experience all fits together so that consumers don't freak out.
They go, Okay, this is beneficial for me, right? Because it is something that they are very concerned about. And it's something [00:14:00] that, you know, we have learned over the last four years and been sharing with the industry these insights because we think it's really up to all of us. to try to make mobile security better, right?
To get, improve the state of the art of mobile app security and to do it in a way that is really positive for the six billion humans on this planet who use mobile apps, right? Six million, six million apps, six billion consumers. That's incredible. Six times as many people that use, than use a PC. Ah. So.
That's important stuff.
Sean Martin: So how, how does that translate to what the business leader thinks about? So clearly depending on their business, they might, if they're in healthcare, they're going to care about the patient. If they're in finance, they're going to care about the funds, so on and so forth. And they're, they're a baker.
They care about making good bread, but ultimately it's about, you mentioned the user experience, but [00:15:00] there's developer experiences, ops experience, there's. Right. That whole thing. It's not just the end app.
Chris Roeckl: Yeah, well, and it does take a village, right? And so, uh, some villages are one person, either the mobile product leader, right?
Because they're ultimately judged by eyeballs in the app. Right? You can have engineering teams that are driven by experiences that are oriented around crash free rates, right? And then you have cyber teams who are driven by making sure that, that, you know, the, the, uh, jewels of the castle, right, are kept in the castle, right?
That, that there's no fraudulent activity and you have, how can you, how can you minimize that? Right? So, right. Any one of these [00:16:00] groups can actually be, uh, can initiate change, right? Ultimately, it becomes an experience that all three of those groups have to come together and work on that. And really, at that moment, it ultimately becomes about how can you do security in a workflow that is non invasive, uh, that doesn't change workflow experience.
At least from the perspective of breaking something, right? Um, and, you know, with some of the advanced methods that we provide, we're able, for instance, to detect a security event, pass that event to the app, and then allow developers to make a new workflow. Okay, your app's not secure, we're not gonna, we're not gonna cut you out of the app experience, but we are gonna limit what you can do in the app.
Okay. Right. Again, something user friendly. Hey, we see this is happening on the app. Unfortunately, we're [00:17:00] not going to let you transfer more than 500, you know, until you get this remediated. And ultimately the next step in that vision is helping consumers themselves through mobile brands, be able to remediate issues that they're finding on their phones.
Sometimes people do these things maliciously. But oftentimes it's a mistake where they didn't realize that, you know, downloading something can turn into a worse thing.
Sean Martin: Right?
Chris Roeckl: Right. So how can we, that's our next chapter is how do we help consumers actually get through that moment?
Sean Martin: So I want to talk a bit about the, the developer and then maybe Brian, if you want to bring in some of the OAS stuff and, and how the community is responding to this research, because.
Kind of to the point of the report that they don't think engineers care. I can't remember what commercial I saw, but there was [00:18:00] some commercial that said, I think it was an automotive commercial, building a car or something. And they said, maybe the VW, I don't know. Um, they did a very short clip of, we spent X number of hours building this car.
It's Volkswagen. It is Volkswagen.
Chris Roeckl: Volkswagen.
Sean Martin: And then, and then there's the longer version of it with the, they're showing it having the pizza and the meetings and the fun. And, and all the research on this and the research on that and the development here. And I feel like something like that is, is needed for cybersecurity to show that engineers care because, I mean, being here, obviously at OWASP Lisbon, we all care, right?
We're here for a reason, but I, I believe there's a broader, bigger community that does as well. So I don't know if you're getting any, Feedback or have any insight. I mean,
Brian Reed: sure, I think a few thoughts, right? So security professionals, we've done things like create security champions on development teams and so on and so forth.
There's a security champion meet up here. Um, we create all kinds of tools and like threat modeling training and so on and [00:19:00] so forth that we kind of push on developers. I think that there's kind of two. Aspects. Maybe you think about in the community overall. The first one is that OSP is reaching out a lot more to developers.
In fact, the OSP Global in San Francisco is gonna have a developer day where we're looking to have our security people bring their development friends. And it's a development centric day, not a security centric day as it were security professional day, but actually helping. And there are clearly advocates out there.
Some some of my good friends have collected the last 20 years or developer security advocates, right? So So I think that Developers generally are focused on the business has an objective of shipping X software with Y functionality by Z date. And that tends to be how the business works. If the business has a secure by design strategy, if the business has a security first, or user safety first, then that drives behavior.
And you get that behavior driver and something like finance because of regulations or health care because of certain parts of health care, like FDA regulated devices. But the rest of it, you know, I think we're all still trying to do it. We've got to remember the developers have a motivation that's parallel, [00:20:00] but not necessarily exactly the same as way security person is motivated in it.
So I think OS will continue to grow the developer community in our world. It's pretty amazing. So we've eliminated the challenge for the developer because our machine learning does the work for the developer. So developers love us in that they don't have to worry about the gory security details. They don't have to become a security expert in malware and overlay attacks and all that other stuff.
Software does it for them. What developers get is the ability to apply useful feedback and tune user experience based on security issues. But all the gobbledygook's taken care of. And that's kind of an ideal world. You know, security gets what they need with, with policies configured the way they want it to be to meet the requirements of their business.
Devs get nothing or a little bit of data they can use to make sure there's a great user experience, but they don't have to become security experts in order to build mobile apps. And that's probably where Nirvana is. The advent of machine learning and AI is, uh, a lot of the grunt work gets taken care of by the systems and the software on behalf of the developers so they can focus on the innovative work.
Sean Martin: Yeah. Yeah. [00:21:00] Onboarding fast. Booking a healthcare appointment quickly. Getting, uh, getting your orders,
Brian Reed: you know, adding, adding bio, you know, bio readout stuff, you know, like your, your body monitoring things. You know, we've got the advent of the Apple watch, like the most popular digital watch in the world.
You know, there's, there's lots of scenarios where developers are creating really amazing experiences, but trying to get a developer who might be a phenomenal user experience guy to also be a security engineer is like an oxymoron, right? He's not built for that. That's not his focus. So make security transparent, easy.
Built into the pipelines, the developers are using. So does focus on what they want and what they do and their expertise and let the machine do the rest of the work. And that's where I think, I think we'll see things go. It's, it's kind of a policy as code approach.
Sean Martin: Yeah, I love it. Yeah, not, not code. Less code.
No. Nice one. Listen, it's been a great to chat with both of you and good to see you here at the Owasp. AppSec Global in Lisbon, . [00:22:00] And, I'm excited to, uh, keep, keep chatting with you, more stories. I'm going to encourage everybody to download this report. Clearly, consumers care.
Chris Roeckl: They do.
They do, and there's a lot more data in that report. Uh, in terms of just giving a fuller perspective about what security means to the mobile end user.
Sean Martin: Yep, yep. I think we, uh, we owe it to ourselves to understand what they expect. Knowing that they understand enough to know that they should care.
Brian Reed: Exactly.
It's an empathetic report, so it's sort of an empathetic experience. The developer can read and say, Oh, okay, now I have the understanding. Let me go just apply that in how I operate. Right? So I think it's not attacking developers. It's more trying to uncover these are the things that consumers care about.
So if you're building B2C apps, take these into consideration.
Sean Martin: Perfect. Well, thank you guys. And, uh, thanks everybody for listening to this episode coming to you from Lisbon. Stay tuned for more stories and, uh, Brian, [00:23:00] Chris, thanks a lot.
Brian Reed: Thank you.