New York’s SHIELD Act Is A Big Hurdle for Mobile App Developers

Published on July 1, 2020

Mobile applications have become an ingrained part of everyday life. Their developers boast capabilities large and small, from checking the weather to the complete operation of a small business. With mobile app developers in high demand, services such as Google’s Firebase, Mobile Roadie, TheAppBuilder and others serve as an accessible, fast option for tech newcomers who want to get in on the action.

In 2017 alone, consumers around the world downloaded 178 billion apps – making the $71 billion-dollar industry unsurprisingly lucrative and fast-growing. By the same token, tech-focused compliance legislation made headway in the United States, with the New York SHIELD Act expanding its definition of a data breach, placing app developers and their partners in murky legal waters.

It’s no shock that such growth in the mobile app industry has been accompanied by these expansive, yet necessary checks and balances. Sixtyt-two percent of enterprises have at least one vulnerable app in their environment, placing personal information at risk and potentially violating other compliance laws such as GDPR, CCPA, and HIPAA. Understanding the cracks existing in the app development infrastructure and addressing them head-on can greatly alleviate compliance concerns, in addition to warding off the inevitable cybercriminals who prey on bugs found in vulnerable systems.

As part of a governmental effort to protect the data of its citizens, both California and New York have taken the first steps toward enforcing across-the-board compliance legislation. The New York SHIELD Act, in its latest iteration, has significantly cast a wider net when personal data is concerned. Rather than considering only unauthorized acquisition in its data breach definition, it has expanded the definition to include unauthorized access. This would apply to all New York residents, regardless of where the business itself is located. That’s a drastic difference.

Under these measures, 85 percent of mobile app developers could be considered non-compliant. In other words, most app developers have not implemented the necessary controls to analyze and monitor incoming threats or to simply store data in a sufficiently secure manner. Only over the last few years has compliance taken center stage – forcing organizations to take another look at how reliable or security-focused their partnerships with independent mobile app developers really are.

Because of the enormous amount of app users, finding a user-friendly, uncomplicated app developer is understandably a high priority for organizations and businesses for which cybersecurity may not be their area of expertise. This is true for organizations large and small, from the United Airlines and Tik-Toks of the world to the family-owned restaurant down the street.

Small, foreign and potentially non-compliant app development houses can be an attractive, highly affordable option for businessowners seeking to digitally transform as efficiently and cheaply as possible. In the long run, however, the lack of deep threat scanning and prevention, visibility and overall autonomy can create enormous technological hurdles, costing millions of dollars in avoidable non-compliance fees or detrimental data breaches. Placing the security posture of an organization in the hands of a single, opaque app developer greatly jeopardizes the ability to combat or recover from data breaches caused by rogue actors, faulty authentication, or non-compliant data storage.

Firebase, Google’s user-friendly app development platform and real-time database, was found to have major data storage vulnerabilities in 2018, exposing hundreds of millions of records including identifiable information (PII), private health information (PHI), plain text passwords and more. Relying on such an app development platform to quickly evolve alongside changing compliance standards like the the New York SHIELD Act while combating advanced criminal threats is risky. However, the risk is practical for the countless business owners and organizations seeking to quickly expedite app development or simply cut costs. For this reason, app shielding post-app creation becomes an attractive option that allows for a necessary level of flexibility when searching for a budget-friendly app developer while still keeping security intact.

It’s completely understandable that finding an affordable, quality-driven design house with a trustworthy reputation is typically out of reach for most organizations. Even if using a reputable app developer with a pristine security record is within financial reach, trusting an outside organization with one’s cybersecurity strategy is inadequate. Thankfully, shielding an application in retrospect is easily achievable for the vast majority of app-reliant organizations looking to protect their software.

App shielding technology is capable of both independently securing an app without the original developer’s input and retroactively integrating with an existing application’s software. The risk that is taken when selecting a less-than secure app developer is mitigated by overlaying an effective application protection shield that can be implemented at any stage of the app’s creation.

It goes without saying that the safest bet is to assume all third-party mobile apps are unverified and untrustworthy. Finding a more security-conscious developer is the ideal, yet its costs seem to outweigh the benefits up-front. However, the easiest bet is on less reputable, more affordable design houses whose flaws can be accounted for by retroactive shielding technology. In any case, putting controls in place to thoroughly and independently analyze potential threats while storing information according to an over-arching compliance structure can greatly assist with avoiding the pitfalls from mobile app developers.

Distributing responsibility and sensitive information in a security-minded manner by installing an effective app shielding capability is a more definite marker of effective risk management, since even the most secure app developers cannot provide adequate protections. Additionally, strong authentication, including passwordless authentication, can make the difference between a disastrous mobile data breach or a secure, user-friendly system.

Mobile applications are increasingly relevant to industries of all kinds, assisting consumers with personal finances, health tracking, transportation needs, and so much more. As tech becomes interwoven into the fabric of society, best practices will require tech champions to intelligently and efficiently adhere to security standards, protecting the billions of users relying on these highly advanced, everyday platforms.

Asaf Ashkenazi is a former Contributor at Grit Daily. He is Verimatrix’s Chief Operating Officer, responsible for developing and communicating the organization's strategic plans, initiatives and future goals. Asaf is also responsible for analyzing market dynamics, building strategic partnerships and identifying potential M&A targets. He has more than 15 years of security experience, spanning product management, business development and a variety of engineering roles throughout his career. Asaf began his career at Motorola Semiconductor where he developed hardware security modules and prior to joining Verimatrix, known as Inside Secure prior to the name change in July 2019, he oversaw security product management at Rambus and Qualcomm Technologies Inc. Asaf has served as board member of the FIDO Alliance, he holds a Bachelor of Science in electrical engineering from Ben-Gurion University of the Negev, Israel, and has been granted 10 U.S. patents for security architectures and solutions.

Read more

More GD News