AppLovin: Managing risk and growing the global app ecosystem
Apple’s 2009 advert – which coined the phrase ‘There’s An App For That’ – was just the beginning. Over the last 13 years, there has been a global explosion of app downloads ranging from mobile games to productivity tools. And, with figures from Statista suggesting there were 230bn global mobile app downloads in 2021, there are no signs of a slowdown.
For AppLovin, a leading growth platform with an ultimate mission to grow the global app ecosystem, the goal is to help developers expand their audience and their revenue while helping the industry continue to thrive.
Since launching in 2012, AppLovin has been instrumental in defining many of the world’s most popular apps and game studios. The company’s leading mobile marketing and monetisation platform provides app developers with a powerful, full-stack solution to solve their mission-critical functions like user acquisition, monetisation, and measurement.
“Really, at the end of the day, the goal is to grow that whole app ecosystem,” explains Jeremiah Kung, AppLovin’s Global Head of Information Security and Compliance.
“Growing up, we didn't have cell phones, we barely had the internet,” he laughs, “and now it's different.”
“Everything's on the phone, and apps are growing,” he adds. “We want to grow that ecosystem so that everyone is successful – from the developers and the applications to the businesses and the advertisements behind that – so that it's a win-win for everybody.”
A risk-off approach to cybersecurity
Trust and transparency continue to be incredibly important for both organisations and individuals, with concerns around data protection increasing in recent years. As Kung explains, from an information security perspective, by not storing personal information from devices, AppLovin takes a ‘risk-off’ approach.
“From a security point of view,” he says, “our technology never knows who owns the device and only captures what ad types that device interacts with. For example, it's more like: ‘That device likes Wordscapes games, so let’s send them more ads for Wordscapes-type games’ as they will be more likely to download. We never know who the owner of the device is,” Kung adds.
“We removed the significant risk from the equation, which ensures significant risk reduction from an InfoSec perspective.”
The app market may have been on a meteoric rise in recent years, but as with all industries, there is a negative side, with bad actors posing daily threats. For Kung, who joined the business in May 2022, transparency is particularly important when it comes to cybersecurity.
“I try to stay as plugged in as I can to the business so I can understand the threat and risk,” he comments. “I've added tools and processes, but I think what really counts from the cybersecurity piece at this point is transparency.”
“This is a highly technical company with a lot of smart people. My first priority for information security was to conduct assessments; I did my poking and prodding, and penetration testing.”
“They have made some really smart choices and done some really clever things,” Kung adds. “We’re now focused on adding enhancements and improvements over time. The one improvement we added for the cyber side, was transparency.”
Cyber success is down to people
For Kung, a cybersecurity professional with more than 20 years of experience in the industry, the key factor to driving a successful cybersecurity programme is down to the people.
As he explains, when joining AppLovin, the first thing he did was create an advisory programme to sit and talk to developers, establishing conversations and processes around when to introduce InfoSec checks.
“We’d have a conversation around what the developers are working on to determine the best point in time for my team to conduct penetration tests,” Kung says. “And, we’ll have regularly scheduled conversations to check in.”
In a fast-paced environment such as the technology industry, it’s also highly important not to sacrifice the speed of development. Having joined AppLovin following several cybersecurity roles at financial institutions, Kung is particularly aware of the differences between the east and west coast working in cybersecurity.
“Coming from a banking organisation or FinTech, you’re so highly regulated,” Kung comments. “You have to find everything and fix everything before it goes to production. The CISO must sign off on everything, and it doesn’t go to production until they’ve done all their tests and they’re happy that everything’s fixed.”
“But here,” he adds, “our business success depends on the velocity of our releases. So, it’s all about how you find that perfect momentum of putting the security controls in place but not slowing the process down.”
“That’s what’s really fascinating – finding that balanced mix. And at the end of the day, it comes down to people.”
“We have extremely talented developers who are willing to work with us. We have tools that give us visibility, and we are also willing to work with the team. I’m not going to hand them scan reports and say, ‘Here are some findings, go fix them’. I commonly say, ‘These are the findings, let me look at them, and perhaps we find things which might be an issue’. This allows us to track if it’s a quick fix – and if not, we’ll ensure it’s prioritised in the next release.”
Managing third-party risk
With a rising number of security breaches arising from third-party relationships, managing third-party risk is a particularly relevant issue in cybersecurity – especially in light of the SolarWinds attack, which opened many eyes to the dangers of insufficient onboarding and monitoring of third-party vendors.
“I aim to look at all threats and ensure they’ve been looked at,” Kung explains. “Third-party risk is a great one. For vendors we’re doing business with, we ask questions to ensure that they are properly secured, and will protect our data.”
“You don't want to say, 'Here are 1,000 questions, please answer them', to every company you work with. That could potentially slow things down,” he says. “Instead, we'll do our own assessment, and we’ll come regularly to reassess and ask questions.”
Particularly in the cybersecurity world, a strong network of partnerships is vital – and AppLovin is no different. In addition to a partnership with Google, Kung explains that working with smaller companies, such as Data Theorem and MAKINSIGHTS, has significant advantages.
“I have liked working with the smaller, hungrier companies because they're willing to work with you,” he muses. “Especially in a SaaS world, you can't be on your own and just have your own developers build everything. As smart and as efficient as they are, we do need to partner with some vendors out there.”
“With Data Theorem, I met with their CEO quarterly, when I was back at EastWest Bank,” Kung says. “At the time, we were building mobile apps to do business banking in China as well as the United States, so the security needed to be top-notch.”
When looking for a tool to protect from Magecart attacks, a discussion with Data Theorem’s CEO led to the development of a ‘hack toolkit’, which could detect a multitude of vulnerabilities with a push of a button.
“It’s been interesting to watch them grow their business from just scanning the mobiles to the web to then creating a piece for cloud security, and followed this up by creating a piece for API security,” Kung says. “These were all the things I was worried about, and now I had just the tool I needed in order to find this solution.
“MAKINSIGHTS is another great example of a nimble company: they came on board and provided excellent service by supplying us with skilled former “Big Four” consultants, many based out of LATAM,” he adds. “Working with MAKINSIGNTS brings the latest in cyber processes, policy, governance advice, risk assessment, pen testing – essentially the full gambit of Information Security from an outside perspective.”
AppLovin has also been partnering with Google, utilising cutting-edge tools in both the cyber and the cloud space.
“A lot of times, solutions are being built on-premise and tend to be legacy, and slower,” Kung explains. “Google is doing some pretty innovative work now in the cloud, engineering-wise. By partnering with Google there are a lot of interesting options we're considering including looking at information security from a different point of view than the typical push-button compliance checklist.”
How organisations manage InfoSec is changing
In an increasingly cloud-based environment, Kung predicts there will be shifts in the way organisations manage their information security.
“At the end of the day, security never really has an end state,” he says. “Threats are always changing and the business is always evolving. Eventually, more and more systems are going to move to the cloud. Larger institutions will be tougher, but smaller companies and high technology companies are mostly going to be in the cloud. And, if they’re not already there, they’re going to start moving to Kubernetes and to serverless functions, which is really going to shift the way we do information security.”
With different threat factors and different attack surfaces to look at, organisations need to be constantly assessing security threats while thinking outside the box.
“Passwords are pointless,” Kung states. “You really should be doing multi-factor authentication (MFA) – those are ways of thinking outside the box of technology.”
“I've seen some really cool ideas from Transmit Security, who had an awesome tool that would get to know who you are,” he says. “We would know a user held the phone in a particular way, so we can authenticate it – a robot, for example, wouldn’t be holding it at all. I don’t know if that's the ultimate solution, but out-of-the-box thinking like that is where we need to go.”
And, with AppLovin’s goal to continue growing the app ecosystem, InfoSec will similarly continue to hold a vital role.
“I'm definitely looking at every new product we're coming out with, making sure it's secure and focusing on helping grow the business without slowing it down,” Kung comments.
“For AppLovin, the goal is to continue to grow the business and the app ecosystem, even at a time of economic uncertainty,” concludes Kung. “We're focused on growing that ecosystem, helping it thrive, and moving it forward.”