Mobile app development is dynamic, involving multiple stakeholders, tight timelines, often with limited budgets and various frameworks to work within; both in coding and compliance. One of those constraints involves regulatory rules and new laws involving app security. The world of software regulations for mobile apps is like a game with constantly evolving guidelines. Here are a few new or forthcoming laws we thought you should know about—let’s dive in.
1. Digital Markets Act (DMA)
The Digital Markets Act (DMA) regulation, effective March 2024, aims to address the monopolistic practices of major tech companies and introduce more competition by allowing third-party app marketplaces. This legislation will significantly affect mobile application security as users in the EU will have the option to download apps from sources other than the major app stores like Google Play and the Apple App Store. The opening of these new distribution channels could potentially increase vulnerabilities, as these platforms may not have the same stringent security measures as established stores, thereby escalating the risk of malware distribution and security breaches.
Should developers take proactive measures to align with DMA? “Absolutely,” says Tom Powledge, head of cybersecurity business at Verimatrix. “Adding app security and testing how secure those apps are prior to deployment are smart first steps. They aren’t just nice-to-haves; they’re a necessity.”
Apple and Google are adapting by enhancing their security protocols. Apple is enhancing security through notarization of iOS apps, installation descriptions, developer authorization, and advanced malware protections to maintain platform integrity as it complies with the DMA. Google is focusing on transparency and safety with initiatives like Data Safety Labels, independent security reviews through the ADA, and comprehensive Privacy Nutrition Labels to inform users and safeguard their data as the app market expands.
Developers too must also embrace rigorous testing and robust security measures. These steps, combined with enhancements implemented by Apple and Google, will help ensure that apps remain safe, no matter where they are downloaded from.
2. CISA OMB Attestation Mandate
The CISA Office of Management and Budget (OMB) Attestation Mandate brings a new layer of compliance for software suppliers to US federal agencies. This mandate enforces stringent cybersecurity standards to safeguard government software acquisitions.
For developers, the mandate means adopting continuous monitoring and automated testing to maintain compliance over time. Techniques like app shielding provide a defensive layer crucial for government collaborations, protecting apps from various exploits.
“Verifiable security is becoming a baseline for federal software contracts,” says Tom. “This mandate will require software suppliers to ensure federal agencies comply with specified cybersecurity standards. The risk of non-compliance includes not just financial penalties but also exclusion from future government contracts, which could be detrimental. The good news is that mandates like this are usually phased in over time with deadlines set in advance.”
“Compliance is a journey, not a checkbox,” claims Simon Emery, head of partner alliances at Verimatrix. “Implementing continuous app and unmanaged device monitoring, plus automated testing, can ensure ongoing compliance. App shielding acts as a defensive layer to protect against exploitation, crucial for maintaining trust and integrity in government collaborations.”
3. Europe's Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) is the European Union’s bid to standardize high security standards across all digital products, including apps. With penalties as steep as €15 million or 2.5% of global annual turnover for non-compliance, the stakes are high.
App developers can comply by adopting a ‘security-first’ approach from the design phase through deployment. Integrating app hardening into your CI/CD process is a step many app development teams have already embraced. Regular security audits and proactive vulnerability management testing, especially if it involves the vulnerabilities from the OWASP mobile Top 10 vulnerabilities list, can help developers meet CRA standards, ensuring that their products are safe and secure at every stage.
“The CRA isn’t just regulation; it’s a public commitment to digital trust,” offers Tom. “Fundamentally, it protects both consumers and the integrity of the digital market. It’s a proactive move to standardize security practices and enforce accountability across the tech industry in Europe. In time, this will likely spread worldwide.”
“Secure by design and secure in practice is what I like to say,” says Simon. “Developers who adopt a lifecycle approach to security—from rigorous app shielding to regular security audits from initial design through deployment—will find themselves on the right side of the law without having to try very hard.”
The Wrap-Up
Yes, DevSecRegs is becoming a thing, and the three regulations above are just the tip of the growing regulatory iceberg. Understanding and preparing for mobile app security regulations is crucial. It’s not just about avoiding penalties—it’s about protecting your business and earning trust from your users. As these regulations keep changing and new rules are created/deployed, the best approach for developers is to stay informed and take proactive actions.
Verimatrix XTD helps speed up the compliance process by offering high-level protection features like code obfuscation, anti-tampering, and runtime protection. These features are crucial for guarding apps against threats like malware, supply chain attacks, and tampering. Advanced techniques and AI-driven threat detection also play a key role.
To maintain strong security, mobile apps need ongoing checks for vulnerabilities and compliance, both before and after they are launched. It’s important to have separate teams: one to strengthen the app’s security and another to handle testing. This separation ensures that the process is unbiased and thorough.
