SafetyDetectives spoke with Tom Tovar, co-founder of Appdome, the only Native American CEO in Silicon Valley. Tovar’s entrepreneurial spirit and tech expertise have led him to build products that redefine security in the mobile app ecosystem. With a trailblazing approach, he pioneers DevSecOps platforms at Appdome, streamlining mobile app protection. Tovar’s remarkable career includes key roles in cybersecurity and enterprise software, contributing to notable acquisitions. Beyond business, his passions range from mountain climbing to being a proud dog-dad of the famed Corgi, Walter. Don’t miss insights from this visionary leader, as we discuss his journey and technological insights.
Thank you, Tom, for taking some time to speak with me today. Can you tell me a little about yourself and what led you to co-found Appdome?
Of course. I’m Tom, one of the co-creators of Appdome. I’m a self-taught coder and hacker. Initially, I was just an entrepreneur who enjoyed building mobile applications for fun while also using the process to educate myself.
I discovered that the security products in the market were difficult to use and lacked comprehensive documentation. This led me to the idea of creating a “vending machine” for mobile app security.
I managed to convince a few individuals, including some venture capital friends, to support this venture. It was an inspiring journey, and I was fortunate to have a talented CTO partner who surpassed me in coding in every way. Luckily, he was at a company that had an amazing engineering team and they were even more proficient in coding. We convinced the venture capitalist to let us build Appdome in that company.
The challenge in the field of security was evident. As most of us are aware, implementing security correctly is not a simple task—there’s a lot of complexity and it requires skill, resources, and time. My goal was to simplify this process, democratize it, and make security accessible to everyone, not only for the good of our business, but for the greater good of society.
Can you tell me about Appdome, and what it does?
Certainly. Appdome is a platform that automates mobile app defense. The best way to understand what we do is to compare us to tools like Git, CircleCI, Jenkins, or Travis—build systems used in CI/CD. We do the same thing, but for mobile app defense.
Developers use Appdome to bolster their apps with security features to combat fraud, malware, cheating, and other harmful threats. This can be done automatically within the DevOps pipeline—with no code, no SDK, and no additional work required.
Users simply designate a target application, select the desired protections, issue an API command, or click a button—and the system handles the rest. The entire process is 100% automated, making it incredibly user-friendly. Users can add features immediately after accessing the product, making the whole process as simple as toggling switches, and pressing buttons.
The true secret sauce of Appdome lies in our architecture and machine coding engine, which does all the work for you, irrespective of how you build the application. This transforms a traditionally challenging task into a simple, fingertip action.
We’re excited about the impact this has on the way people build and secure mobile apps. This is why our tagline is “code less, secure more.”
What are some of the factors that contribute to the growing popularity of mobile apps when compared to traditional web channels?
Web and the internet came first and, back then, there was often a debate about whether one was a digital native or a digital immigrant. Personally, I was a digital immigrant.
Today, mobile is the new dominant platform. It’s where we all naturally gravitate. The devices we carry around have become our portal to everything— they are now our wallets, our cameras, our personal assistants and more.
The increasing functionality of mobile devices, and the omnipresence of mobile apps across various platforms, whether it’s a VR headset, a car, or even a refrigerator, signify that consumers have shifted from desktop or laptop environments to mobile. This shift can be attributed to ease, convenience, accessibility, and the variety of services provided by mobile apps.
Consider your own usage. How many mobile apps do you use on a weekly basis? You probably use between 18 to 20 apps for various tasks. Plus, the ability to personalize your screens and organize a suite of services based on your preferences contributes to the growing appeal of the mobile app experience over the web experience.
While I don’t think the web will completely disappear, the data we have suggests that mobile usage is dramatically increasing while web usage is either remaining flat or starting to decline. People are increasingly opting for the native application experience. The debate about whether web apps would dominate over mobile apps was relevant around five to eight years ago, but now, mobile apps are significantly more popular.
What are super apps, and what are their main cybersecurity challenges?
Super apps are collections of services contained within a single app. Inside a super app, you can find a store, a loyalty program, and various vendors’ services. It’s comparable to the supermarkets of the past, like Walmart, that offered everything you could possibly need in one place.
Super apps are extremely appealing, and most brands strive to create them. For instance, a platform could evolve from solely being a purchase platform to a purchase, shipping, and support platform, amalgamating all these services into one super app.
However, protecting super apps presents a unique challenge because they often contain third-party components not controlled by the primary developer. This raises the question of how to establish security models that are compatible with all the different mechanisms within the application. For an individual developer, the complexity curve can be off the charts, as they now have to protect components for which they don’t have access to the source code. As a result, there are naturally going to be more vectors of attack.
That said, the attack scenarios faced by super apps are similar to those faced by regular, single-purpose apps. Issues like fraud, reverse engineering, data theft, overlays, fake input, and fake users are just as prevalent in super apps as they are in standalone apps.
The challenge for developers in super apps is that they must protect components they don’t control or own, hence lack access to their source code. However, the good news with Appdome is that this distinction becomes irrelevant. The machine essentially protects all the components of the application, whether they’re built by the developer or a third party.
From Appdome’s perspective, we’ve solved the complexity challenge between a straightforward single-purpose app and a super app, enabling easy defense against all vectors of attack.
Our customers who transition from a single-purpose app to a super app often ask if they need to keep anything in mind as they add these functionalities and if it will change their security model. Our response is always “no.” Build your app the way you want, and as you add third-party components, Appdome’s platform will identify and protect those components in the same way we’re protecting your native code. Our goal is to simplify the process for everyone, keeping true to our promise of a one-button, one-click solution.
What features or practices are consumers expecting to see in mobile apps to ensure that they’re secure?
Based on our 2023 global consumer survey, we’ve found that consumers are quite cyber-savvy. They are very clear about the differences between compliance aspects such as data encryption, and issues like fraud, malware, and other types of attacks.
Consumers have a clear hierarchy of expectations when it comes to security. Most, if given the choice, would say that features and security are synonymous – security doesn’t take a backseat to features, it’s equally important. From a development or product management perspective, this means we cannot deprioritize security compared to other features we plan to release.
Consumers also expect top-tier security. They want protection for their login and data, and against malware and fraud. Our 2023 survey revealed that most people, if asked whether they’d prefer protection from fraud or reimbursement after fraud has occurred, would choose to avoid the fraudulent situation altogether.
Their high degree of awareness and expectation is tied to how central mobile apps have become in our lives. If we compare this to the automobile – when cars were initially considered luxuries, seatbelts, airbags, crumple zones, and anti-lock brakes weren’t a focus. However, as cars became integral to our lives and identities, safety standards rose. Today, we discuss features like collision assistance and self-driving cars. The same trend is true for mobile apps. As these apps become more central to user experiences, their security expectations rise accordingly.
When we ask consumers if they’d be willing to sacrifice security as long as the app works well, the answer is overwhelmingly “no.” Today, with so much potential for identity theft and the extensive amount of personal data we store on our devices, security is non-negotiable. Mobile natives (those who grew up using mobile technology) have slightly higher security expectations than mobile immigrants (those who migrated to mobile technology from the traditional internet), but the consensus is clear: security is paramount.
Can you explain the concept of screen overlay attacks and how they are employed to mobile fraud in mobile fraud?
Sure, mobile attacks are quite broad and varied, but specifically, screen overlay attacks work by either mimicking a specific screen in an application or providing a transparent overlay over a screen in an application. This can be done at the screen level or even the field level.
The most straightforward use of an overlay attack is to trick a user into entering information into that false screen, thereby giving the information to an attacker. But it’s not only about stealing data, overlay attacks can also be used to initiate transactions on the user’s behalf, to inject or log keystrokes, or even just to track the user’s movements and activity.
So, overlays can just sit there and collect data on everything you’re doing without you even knowing it. If the overlay is transparent, you might be entering information into the application without realizing you’re entering it into two applications – the transparent overlay and the legitimate application.
Overlay attacks are sophisticated forms of malware. The malware is usually delivered through an unrelated application that you might have downloaded at some point. They’re quite serious, but they’re certainly not the most serious of attacks possible on mobile apps.
However, the good news is that with Appdome, developers and publishers can easily defend against overlay and similar attacks by just turning on a switch or clicking a button in the app. So even though overlay attacks are complex, their defense has been simplified to a choice, an API call, or a button click, and then everyone is protected.