“Gig economy” companies give independent contractors, online platform workers, and temporary workers the flexibility to build financial independence one platform at a time. In an age where employees are increasingly mobile and digital technologies have become ubiquitous in the workplace, companies must make sure they have secure systems for protecting their data, applications and communication networks. An important element of any business’s security strategy is focusing on “mobile app-first” solutions that prioritize protection of enterprise applications and ensure performance as businesses transition to a gig or remote workforce model.

This article highlights some security pitfalls faced by “mobile app-first” companies in the age of the gig and remote workforce. It then outlines the steps these online platform companies need to take to ensure that personal devices do not impact their personal data and privacy along with the company’s data.

Gig economy apps are platforms that independent workers and freelancers use to generate income by providing a service, such as ride sharing, food delivery, task completion, or general errands in near real-time. The gig economy has been on the rise for the past decade and has transformed the way people find and perform work. These apps help to connect companies and individuals to a vast network of freelancers with just a few clicks. According to the ADP Research Institute, this economy is worth $296 billion, with 68 million workers in the United States working as freelancers.

These apps act as hosts (typically run by a company) that allow workers to register for a contractor position; they find them new opportunities and pay them for the tasks and services they provide. In most cases, contractors use their personal device, or devices, to view available jobs and to accept forms of payment for these services. Since managing both jobs and payment are done on a personal device, contractors and companies should be aware of the security risks to their mobile device and business-critical data.

Registering a freelancer account normally means inputting personal and business information into a third-party vendor, including bank accounts, social security numbers, emails, and so on. Gig economy apps need to prevent the exposure of Personal Identifiable Information (PII) associated with the contractors. This also goes for regular users who are trying to use the app to acquire services, since they will be entering private information like credit card numbers. So how can app developers ensure that the data they capture from forms and inputs aren’t leaked outside the app?

Below, we will explore some important security risks associated with using mobile apps and BYOD (bring your own device) policies in gig economy companies.

Gig-economy companies employ teams of application developers who specialize in consumer-facing and contractor-accessed app functionality. App developers need to ensure that there are security mechanisms in place to protect against unauthorized access, theft, and the risks associated with outdated mobile operating systems.

With more and more data breaches occurring through infected applications, DevOps teams need to consider the following security risks when building contractor-accessed app features and functionality.

It is entirely possible that devices can be “bricked” or shipped with pre-loaded software that is not easy to remove and includes malware. For example, smartphones and smartwatches shipped from specific parts of the world could be leaking information back to unknown parties. This can happen, for instance, when there is a limited audit trail between hardware shipments, which creates an opportunity for covert actors to pre-load devices with malicious bootloaders.

Jailbreaking devices also increases risks, since the open-package software that users often install comes mostly from unverified sources. This could lead to unauthorized access, data theft, tampering, or unauthorized control of the device (or popular applications).

Mobile app-first companies are able to collect insane amounts of data from users, and most are not doing a good job of managing data theft scenarios (including both inside and outside attacks). In the case of data theft, the damage is measured in terms of thousands or millions of records. Once stolen, the records can be sold on the black market to scammers or adversary networks who will conduct further exploitations.

Data is vulnerable to theft when it is stored inside devices. This is also true with communication channels from the device to the remote app server. Launching a Man-In-The-Middle (MITM) attack on insecure channels or reverse engineering binaries can uncover security holes. This is a complex problem, and doctoral dissertations have been written about security and privacy models for such issues. Mobile app developers must go above and beyond to ensure that security controls are in place to protect their business from data leaks.

Users can be scammed by clicking on phishing links, downloading attachments, visiting an infected captive portal, or being conned into performing certain actions. If the mobile app-first company does not have security controls in place for auditing and reversing suspicious interactions, it can cause damage to both the user and the business.

With these risks in mind, we propose the following best practices for securing mobile app-first organizations.

Mobile application security takes many forms depending on who is deploying the solution. In a traditional business where IT admins deploy a BYOD or endpoint security solution, business-critical applications are vetted prior to being made available for employee download and use. As an independent contractor, this solution may not be available or above budget. Using a solution, such as Q-Scout, is a way to put security back in the hands of independent contractors and freelancers without breaking the bank.

Q-Scout, as a mobile application security tool, can scan an Android or iOS device and provide device owners with actionable insights into how the apps, both those used for gig-based jobs and personal, operate and share the data that is collected. For example, device owners can easily see if apps are sharing data with risky locations, requesting excessive permissions, or sharing data without protection. This information, along with steps to remediate device risks, can ensure that independent contractors, no matter the gig-based app or device, are practicing proactive data security.

In the same instance, platforms need to prevent the exposure of PII associated with contractors while ensuring the devices who are connecting to their expanded app features are not opening their network up to security risks.

There are several measures that can be taken to secure mobile app-first companies from data breaches. All of these security controls are easily implemented as part of a multi-layer defense strategy:

Similar to remote employees, independent contractors and parent companies should adopt proactive security policies when connecting to the contractor-enabled version of an application. Defining a foundational security posture for all devices can allow parent organizations to set a security perimeter without deploying a device management system. For example, requiring multi-factor authentication, enforcing minimum versions, or application security scans allow parent organizations to protect their business-critical data and maintain a secure environment for gig workers.

Since hackers can download the APK or binary image of your app, they can tamper with your mobile app and reverse engineer the code. If you expose secret keys in plain sight or have hardcoded credentials inside the binary, you risk exposing them to attackers.

Ensure that your mobile apps secure data at rest and use the latest TLS standards. Understanding the OWASP Mobile Top 10 threats and implementing secure communication controls like SSL pinning or E2E encryption, key rotation, and zero trust will help you protect against these threats.

Always be on the lookout for industry-standard authentication and authorization mechanisms like OpenID Connect, SAML, or the latest Google passkeys. This will protect against pervasive attempts from hackers to circumvent access controls, gain admin credentials, or execute privilege escalation.

Perform mobile app security testing to identify vulnerabilities and potential security risks. Ideally, this should be outsourced using a bounty program so that there is a good incentive for ethical hackers to break your app apart. After all, if they find a serious exploit, the cost to remediate it would be orders of magnitude lower than the reputational and financial losses you would suffer if a malicious actor were to find it first.

The gig economy supports a significant part of the global economy by offering new opportunities to conduct business with mobile applications. This shift has created new security challenges for companies since they have to be perpetually one step ahead of cybercriminal techniques and hidden exploits. Therefore, it’s critical to prioritize cybersecurity and cyber risk prevention to ensure that there are sufficient measures in place to protect sensitive data.

Adopting a dedicated mobile app security platform that can proactively identify and remediate security and privacy risks earlier in the development process will help you achieve both security and compliance.