Mobile apps have become mainstream tools that are critical to the success of businesses. But as mobile app technology becomes more sophisticated to improve the user experience, security risks also become more complex. Despite their convenience- or perhaps because of it- mobile apps generally function in insecure environments. One of the main selling points of mobile apps is that they provide a centralized space to perform multiple tasks and solve more than one problem. Everything they need to operate is included within the app and easy to access.
The State of Mobile App Security Now
You may be surprised to learn that even in this digital era, many mobile apps lack basic security. The ones that don’t lack basic protection often implement it superficially, which means that measures are easy to bypass using accessible tools or reverse engineering techniques. To be truly secure, mobile apps need a multi-layered defense in several core areas.
One of those involves data encryption, which is necessary to protect the data stored in and utilized by the app. Mobile apps also require code obfuscation and application shielding to protect the mobile app binary and source code. This works against reverse engineering. But that’s not all. As data is transferred between the app and the app’s backend, this communication of data must be secure. Checking the authenticity of the digital certificates used to establish safe connections is vital to ensuring that a mobile app is secure. OS protection is also important to guard the app against unauthorized modifications designed to hack the operating system, such as jailbreaking or rooting.
Are iOS Apps Really More Secure than Android Apps?
Then there’s the widely held belief that Android is less secure than iOS for mobile apps. However, if one looks closely at statistical data, this is little more than a rumor that spreads like wildfire because most people don’t have the tech-based knowledge needed to make a determination like that. And those who do have some knowledge rarely have enough to fully understand the complexity of the technology involved in securing a mobile app. That has nothing to do with intelligence or capability; it is simply a lack of extensive education about a very complicated subject. That’s why these posts can be helpful- we try to provide an overview of what you need to know, which in this case is how to keep your apps safe from outside threats.
In any case, a global survey of 10,000 mobile app developers in 2021 found that the security expectations of Android and iOS users are basically the same. So the security issues facing developers on both platforms are markedly similar despite nuanced differences. What developers need to use is a balanced combination of source code, OS protection, data encryption, and secure communication in both Android and iOS versions of their app. Creating a consistent security defense is key.
Today’s Developers Employ a DevOps Approach
Enter the shift-left security approach. The main idea behind this tactic is that processes should ideally shift earlier in the software development process. Shifting processes like testing and security to the development stage can prevent mistakes from passing through advanced stages of the Software Development Life Cycle. This is a DevOps philosophy. Essentially, DevOps seeks to remove any barriers that might exist between software development and IT operations.
Essentially, DevOps seeks to combine software development with IT operations. Its main goal is to increase the speed, efficiency, and security of software development and delivery compared to traditional processes. More than any singular set of actions, DevOps is a philosophy that combines many different practices to improve the life cycle of software development.
It can be categorized by the four main principles below:
Automation of the software development cycle
Communication and Collaboration
Continuous improvement and reduction of waste
Hyperfocus on user needs with a short feedback loop
Commercial vendors are now providing developers with static application security testing (SAST) tools that are easy to use. These are designed to scan source code to isolate known patterns of vulnerabilities that can compromise security. That said, developers have complained that SAST tools can sometimes produce alerts for too many minor software errors. Most recognize their importance anyway because they can be conveniently integrated into the development process. And as we all know, eliminating potential problems early saves money- sometimes a whole lot of money.
Think of it this way: SAST tools speak the same language as developers. Most of them support Java, .Net, and forms of C, C++, and C#. By integrating into the development environment, they teach developers how to habitually use secure software patterns. SAST tools also demonstrate how to avoid code libraries that are commonly insecure.
Some potential pitfalls: Some SAST tools produce too many false positives, which can force the developer to spend too much time rooting out real problems. In addition, there is a tax associated with the SAST results, so finding too many isn’t the desired outcome.
Dynamic application security testing (DAST) is a more strategic approach. While static (SAST) tools work by giving developers feedback and teaching them at the same time, dynamic (DAST) tools dive right in to weed out the biggest threats. Usually performed by QA teams, dynamic testing zeroes in on the most exploitable vulnerabilities. It doesn’t necessarily produce as much feedback as static testing does- but this saves time by eliminating the need to sort through found errors and decide which are serious problems that must be addressed. SAST tools are much more useful for giving managers and security teams information about developers’ progress in eliminating bugs.
Basically, DAST testing cuts straight to the chase. It immediately roots out the vulnerabilities that pose the most potential harm and are exploitable by the “bad guys”. SAST testing shares nearly every vulnerability it finds, and not all of these pose a threat. However, by having all the information provided by static testing, developers learn how to avoid making mistakes in the future.
So should developers use static or dynamic testing? The answer is usually both. In the interest of saving time and money, developers need to know how to recognize patterns, avoid recurring problems, track their progress, and root out the biggest problems quickly.
While static and dynamic testing have both been around for a while, interactive application security testing (IAST) testing is new on the horizon- and promises to find attacks that other tools miss. Essentially, IAST runs as an agent and allows you to collect and analyze data from running apps.
Interactive analysis attempts to do what static and dynamic tools cannot: It functions to turn the application itself into a security testing tool. By installing software agents on an application server or by instrumenting the app at development time, interactive techniques enable the collection of data on application and security events.
Combining static, dynamic, and interactive analysis can help reduce false positives and educate developers to find long-term solutions. But IAST tools do more than just detect potential threats- they can help you block these threats before they become a problem. Runtime application self-protection (RASP) technology was born out of interactive analysis. It works to immediately prevent attacks as they are observed by IAST tools.
You may be wondering: How accessible is interactive analysis? Although IAST tools are on the market, they’re still relatively new and immature. Aetna is currently strategically evaluating IAST products, and views them as very promising. For developers who want to explore the technology as an option, try piloting a tool to find out if it’s right for your program.
Yet another technology known as functional application security testing (FAST) may help move DAST testing left in the lifecycle. To break it down, FAST uses DAST with functional technology to integrate fully automated dynamic testing into the DevOPs pipeline.
Which Technology is Right for You?
When deciding which technologies you should focus on, consider these factors: How secure your development lifecycle currently is, what type of software you have under development and the resources you have to dedicate to implementing security testing tools.
Also, take this advice from NCR’s enterprise security architect Nir Valtman: Progress is much more important than how many security threats you are facing at the moment. In the long run, if your trending patterns show improvement because you are learning from mistakes, that’s what really counts.
Container Security Continues to Face Challenges
When news of the massive SolarWinds hack broke, companies around the world became alerted to the security risks in their own software supply chains. During that attack, hackers planted malware in the SolarWinds production system. This malware was distributed to customers through malicious software updates. Cloud-native environments are trending and quickly becoming the norm. With the help of containers and orchestration tools that facilitate scalability and resilience, these environments are made possible.
But according to Achore’s CTO Dan Nurmi, “the ability to bring in containers from repositories such as GitHub or other spaces increases the potential for a security breach”. He warns against using containers from places that have not been vetted.
All in all, the security of cloud-native apps necessitates a continuous application security approach. While many tasks can be delegated to the cloud service provider, organizations remain responsible for keeping data secure. Enter static analysis again- you’ll need to discover vulnerability categories related to cloud-native apps. You’ll also need to identify and anticipate threats to the framework of the specific cloud provider that you are using. This is one example of many in which DAST testing is not enough.
One innovative approach to keeping apps safe from outside threats is to engineer them yourself. Yes, you read that right. According Gaurdsquare’s Chief Product Officer to Ryan Lloyd, who attended the Black Hat USA 2022 conference, staging your own attack is a powerful defense. What better way to know what you’re up against than to experience it firsthand? Many presenters at the Black Hat recommended doing this or observing someone else engineer a breach from the perspective of the attacker.
Self-engineered attacks are also educational. They increase your knowledge of how reverse engineering works on both Android and iOS applications. The better you understand the mechanisms of security threats, the more able you are to protect yourself and prevent them.
Mobile app security is a complex subject with many facets to consider. Since it would be impossible to cover everything you need to know about it just by summarizing trends, stay tuned for future posts that explore trends in more detail.