Mobile apps must bolster security vs escalating automated threats — expert

By Miguel Hanz L. Antivola

Mobile app security is becoming a priority for brands and developers as the threat landscape evolves with automation, according to an expert.

“It’s only going to get worse,” said Jan Sysmans, a mobile app security evangelist at Appdome, in an interview with BusinessWorld.

“The bar to creating malware has lowered with generative artificial intelligence (AI).”

According to a report by Appdome in 2022, 40.1% of Filipino consumers believe that “all apps” should have the highest level of security, particularly those that share personal information.

Moreover, 38.4% of Filipino consumers expect the highest level of security with eWallet, money transfer, and payment apps.

However, mobile app companies usually only take action when they fail penetration tests or receive negative reviews from the central bank, according to Mr. Sysmans.

In March of last year, the Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1140, which amended risk management regulations to mitigate losses from online fraud and illicit activities.

Financial institutions were required to present their strategies to the BSP starting in September of last year, and fraud prevention and detection programs were to be operational by December 31 of the same year.

Additionally, the BSP issued regulations on cybersecurity risk management (BSP Circular No. 982, dated Nov. 9, 2017) and cyber incident reporting (BSP Circular No. 1019, dated Oct. 31, 2018).

Appdome engages with regulators to discuss the threat landscape that the company observes.

“If they approach us and are willing to listen, we have the ability to help them raise awareness about new threats and attacks,” said Mr. Sysmans.


A key trend in the evolving threat landscape is automation, which Mr. Sysmans referred to as the biggest incentive in the exploit economy.

Mr. Sysmans added that automated threats necessitate automated protection and defense strategies.

During conversations with chief information security officers (CISOs), Mr. Sysmans observed that the latest advancements in automation contribute to increased data vulnerabilities in mobile apps due to the ease of launching attacks.

“One of the assumptions we had was that once a brand starts protecting against a certain attack, the attack will cease to exist. This is not true,” said Mr. Sysmans.

“The attackers have created scripts using automation, and they will continue attacking until they find the desired functionality.”

According to a TransUnion report, about 71% of Filipinos surveyed in the fourth quarter of last year said that they had been targeted by digital fraud attempts across various communication channels. Among all those surveyed, 11% fell victim to such attempts during the same period.

Phishing and smishing (both at 46%) were the most commonly reported fraud schemes experienced by Filipino consumers, followed by third-party seller scams (33%) and identity theft (25%).

The significant prevalence of these automated threats necessitates immediate action from brands and developers.

According to the Appdome report, 75.7% of Filipino consumers said that they would “likely” or “very likely” cease using a mobile app and advise their friends to do the same if their data is breached or hacked.


Prioritizing security will pay off in higher growth, as noted by Mr. Sysmans, with 95% of Filipino consumers saying that they would become brand advocates if security is guaranteed.

“The days when app makers and developers can shift the responsibility of security onto the consumer are over,” Mr. Sysmans said.

According to the report, Filipinos ranked “a developer that doesn’t care about my security” as high of a threat as on-device malware, both at 28.3%.

Mr. Sysmans emphasized that brands and developers need their security teams to fully embrace “developer best practices.”

“Start speaking the language of developers regarding rapid releases, agile delivery, and providing developers with the ability to easily integrate the necessary security model into mobile apps,” he said.

“Include artifacts of proof and checkpoints throughout the development process to ensure the correct security model is being utilized.”