Cyber Resilience Act: what it means for Mobile Application Security

If you keep up with the latest cybersecurity-related regulations, you’ve probably heard of the new proposal for a Cyber Resilience Act that was presented last September by the European Commission. In case you didn’t hear, the Cyber Resilience Act is a new piece of legislation aimed at improving the cybersecurity posture of organizations that leverage digital assets.

In response to the increasing number and cost of successful cyberattacks, which are estimated to cause annual global costs of €5.5 trillion by 2021, the act is focused on ensuring that companies have the necessary policies, procedures, and technologies in place to protect themselves and their customers from cyber threats.

Now, what does it mean for mobile application security? Whether you’re a mobile app developer, a security professional, or a business leader, this blog post will help you gain a better understanding of how the Cyber Resilience Act will affect the AppSec world.

What is the Cyber Resilience Act?

To summarize, this first and one-of-a-kind EU-wide legislation seeks to set common cybersecurity regulations for manufacturers and developers of products with digital elements. It testifies to the European Commission analysis that cyber risks are a matter of social, political, and economical importance.

First, the low level of cybersecurity and lack of updates provided by many manufacturers, which can leave businesses and consumers vulnerable to cyberattacks. Additionally, while it is undeniable that vulnerability exploits can cause reputational and business damage to organizations, the cost of vulnerabilities is currently mostly borne by end-users, which limits incentives for businesses to invest in secure design and development.

Secondly, customers lack the accurate and sufficient information they need to make informed decisions about purchasing security products.

While some legislations do exist to protect specific categories of digital products, as of today, there is yet to devise a coherent cybersecurity standard for all products leveraging digital assets within the EU Market to remediate this state of play. And that is precisely what the Cyber Resilience Act aims to rectify.

The business impact of the Cyber Resilience Act

Of course, if you work in the field, you’re already aware of the business/development implications of such a regulation. Just remember the General Data Protection Regulation (GDPR) back in 2018. By establishing strict guidelines and requirements for how personal data is collected, processed, and protected, it had a significant impact on the mobile AppSec world.

Suddenly, mobile app developers and manufacturers were legally required to take a much more proactive approach to protect personal data, and to be more transparent about the types of data they collect and how it is used. Setting this in motion was challenging, to say the least: lack of understanding of the requirements, technical challenges, difficulties in mapping and inventorying data, challenges in ensuring compliance with third-party services, legal difficulties in interpreting and complying with the regulation…

The CRA won’t be an exception. While it is still under review and might very well evolve before it passes, changes are to be expected no matter what.

1. Compliance costs Compliance is likely to involve additional costs and investment in technologies and practices to protect and monitor the security of the mobile application. Mobile application security testing, incident response planning, or even employee training for example.
2. Changes in the development process The cybersecurity requirements set out by the CRA will have to be taken into account during the design and development phase of the mobile app, as well as throughout its entire life cycle. This may require additional resources, such as additional personnel.
3. Transparency and user awareness Manufacturers will have to provide clear and easy-to-understand security information to the users such as a security label or clear instructions on how to use the apps securely. The end goal is to enhance the transparency of the security properties of mobile apps and help users understand the security measures of the mobile apps they use.
4. Legal risks Failing to comply with the CRA could lead to significant penalties or fines (up to €15 million or 2,5% of the annual turnover, depending on the organization). Non-compliance could also cause reputational damage which could harm the business.
5. Business disruption If an organization experiences a cyberattack on its mobile apps, it may need to take its mobile apps offline.

When the act is implemented, organizations will have to show compliance with the new regulation. That entails being able to prove that they implemented security protections, that they know how much their digital assets are protected, and most importantly, that they made sure the security measures work as expected. The Cyber Resilience Act is an exciting opportunity to stay ahead of the curve in the rapidly evolving field of cybersecurity. Should it pass, organizations will have 2 years to adapt to the new requirements. However, it’s in their best interest to start worrying about it now so they can start taking the necessary steps to be in compliance.

Does the CRA apply to mobile apps?

Mobile applications are a critical part of the overall IT system. And like any other part of that system, they need to be designed, developed, and maintained with security in mind. This is especially true considering that apps are released in stores and are therefore accessible to anyone with no way of controlling the device on which they will be executed.

So does the CRA apply to mobile applications? Yes. Yes, it does.

With the increasing prevalence of mobile apps, and the sensitive data that they are used to access, it is essential that they are protected from cyber threats. Yet the security of the mobile application is an issue that has long been neglected. How many times did we hear that protecting the mobile application is not a high priority, considered as nonurgent as that there is allegedly nothing significant to break there?

While it has to be said that awareness concerning mobile app-related cyber risks is undeniably increasing, the fact is, as of today, mobile applications still fall behind on cybersecurity issues.

Take the banking sector for instance. Last year, with the help of our faithful mobile application security testing tool esChecker, we analyzed more than 120 European banking mobile apps and found that none of them complied with OWASP standards. Vulnerabilities in the system can have disastrous consequences. Remember when LCL’s mobile app was prey to a major cyberattack that led to the embezzlement of over 300.000€? But it’s not just banking apps, lack of cybersecurity in the mobile app is a global issue that plagues many industries like health or transports to just name these two.

Thankfully, mindsets are slowly becoming more and more mature, but there is yet a lot of work to be done. And the Cyber Resilience Act was specifically designed to accelerate this inevitable movement towards a safer digital environment, which includes more secure mobile applications.

What can you do to anticipate?

To anticipate the coming regulation impact on your business, you need to stay ahead of the curve. To do so, you have to embrace a proactive approach towards security and build up security in your mobile applications. And we can help!

To address the different issues you might be facing to secure your mobile apps (lack of in-house AppSec expertise, lack of control over the app code as a whole, difficulty in enforcing a consistent security policy for every release, or in setting up a culture of mobile app security, etc.) eShard devised a special offer for any leader willing to empower their engineering team and impulse a sustainable initiative for gaining control of the in-house mobile app security.

Onboard your mobile engineering team into security challenges!

Build confidence in mobile app security and shift your development processes to take into account the specifics of the mobile environment.