How Web Security Testing Fails Mobile Apps

Mobile applications drive over 70% of all digital traffic, and usage will continue to grow as more businesses undergo mobile digital transformation to drive revenue, engage with customers and gain insights through data analytics. While mobile app innovation and functionality continue to evolve, security remains stagnant. Security risks continue to rise, and many security teams use legacy web-based testing tools and techniques to verify the security of their mobile apps.

Some security professionals may be unaware of the broader attack surface of mobile apps, as well as the significant gaps in coverage when using a web-based approach to mobile app security testing. A recent DevSecOps survey from IDC indicated that 54% of organizations report that they have a mobile app security testing (MAST) program. However, a NowSecure MobileRiskTracker benchmark analysis showed 85% of all mobile apps in app stores have medium or high-risk vulnerabilities and over 70% leaked private data. What’s more, 50% of mobile apps have insecure storage/cryptography issues and 48% have insecure network issues. These areas require mobile-specific binary SAST/DAST/IAST testing to uncover issues that traditional web SAST/SCA tools cannot cover.

This disconnect shows that either mobile AppSec teams assume a lot of risk while testing or, more likely, they use web security tools that do not properly test with mobile-specific requirements and techniques, leaving them with a false sense of security. In order to safeguard mobile apps, security teams must familiarize themselves with the key differences between web and mobile app security testing and adopt purpose-built mobile AppSec testing tools and techniques to prevent security vulnerabilities from escaping into the wild.

Web Vs. Mobile Architecture

Security teams should understand the key architectural differences between web and mobile apps:

  • A mobile app binary runs on a mobile device and is easily reversible. Attackers can reverse the binary, gain access to source, sensitive data like credentials, sensitive IP like calculations and business logic, profile your software architecture and infrastructure and more. The majority of web apps’ code sits behind a firewall and stays shielded with traditional perimeter security tools.
  • Securing mobile network communication is complex and requires proper skills. For web apps, the built-in Secure Socket Layer (SSL) ensures secure internet communications for web applications by simply calling HTTPS. But mobile apps lack this built-in secure network support, which means mobile app devs must possess an in-depth understanding of network security and employ complex coding techniques, such as proper certificate pinning, hostname validation and more to maintain secure communications.
  • Securing mobile data storage is critical for all data on the device. Settings within web browsers and APIs make it easy for web applications to protect and store data. Mobile apps require a different approach where devs must code storage themselves, including property settings, cryptography, file handling permissions and more. And while devs may rely on mobile sandboxing, it does not provide full protection.
  • Mobile operating systems, languages and SDKs update much more frequently than web technologies. The popularity of mobile devices drives Android and iOS devs to release updates more frequently than web apps with major mobile OS releases typically every year. Security teams need to stay on top of every release because each new update offers new features to take advantage of but also potentially exposes a new attack vector or security vulnerabilities that require immediate remediation.
  • Mobile devices have more sensors than laptops or computers that run web apps: GPS location, accelerometers, ambient light, proximity, gyroscopic and many other sensors found primarily in mobile devices need to be shielded from tracking, data theft and other potential vulnerabilities.
  • Mobile app testing has greater complexity compared to web app testing: Security professionals and automated scanning tools can easily emulate web browsers to perform security testing. But mobile container-based approaches with controls like anti-jailbreaking, anti-rooting, anti-automation and other features create challenges when conducting manual and automated tests for mobile apps.

OWASP and MITRE ATT&CK

To understand how to secure mobile apps, security teams should review the techniques and best practices from two leading resources: The Open Worldwide Application Security Project (OWASP) and MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).

Claroty

The OWASP Foundation Mobile Application Security Project (MASP) developed a comprehensive set of resources to better secure mobile apps. To ensure secure development and comprehensive testing coverage, mobile AppSec teams can refer to the OWASP Mobile Application Security Verification Standard (MASVS), which provides guidance and best practices. OWASP MASVS emphasizes security controls in seven critical areas: Storage, cryptography, authentication, network communication, platform, code and resilience.

MITRE ATT&CK provides adversary tactics and techniques derived from real-world attacks on application, network and systems infrastructure. Like OWASP, MITRE ATT&CK acknowledges the distinctions between web and mobile applications, leading to the creation of MITRE Mobile ATT&CK in 2019. MITRE Mobile ATT&CK focuses on mobile-specific exploits, such as supply chain attacks, mobile operating systems, mobile sensors, device controls, SMS communication channels and other vulnerabilities.

Becoming familiar with OWASP Mobile Application Security Verification Standard (MASVS) and MITRE Mobile ATT&CK can help security professionals better understand how to properly assess mobile apps for security and privacy vulnerabilities.

SAST, DAST and IAST

Mobile and web applications share similarities in security testing, but the complexities of mobile apps pose challenges for web-based security testing tools to accurately assess them. Let’s examine the three most common methods for application security testing and explore how web-based tooling falls short when testing mobile apps.

Static Application Security Testing (SAST): This method actively tests the source code, byte code or binary of an application to detect security vulnerabilities by identifying specific patterns in the code. While SAST tools for web apps may prove adequate, they fail to accurately assess features specifically found in mobile app environments, such as platform-specific code, APIs and interactions with device sensors. This often leads to security issues escaping into the wild.

Dynamic Application Security Testing (DAST): DAST assessments scan app binaries for security vulnerabilities while they run without using the source code. These assessments use a crawler to navigate the app and a detection engine to execute requests and uncover issues. Web-based DAST tools have many requirements, including a list of URLs to test, access to all dependent web app components and services and scripting capabilities. These requirements often make the testing process time-consuming, leading security teams to impose coverage limits and conduct insufficient testing. DAST for mobile apps have significantly fewer requirements and can typically be completed within minutes.

Interactive Application Security Testing (IAST): This testing method combines elements from SAST and DAST. IAST tools assess applications from the inside out using software development kits (SDKs) or by injecting instrumentation into the compiled binary. Passive IAST conducts runs and collects telemetry during functional, UX, and integration testing, whereas active IAST automates the navigation of the app while collecting internal telemetry. Many organizations prefer IAST over DAST in AppSec due to its lower false positive rate. However, web-based IAST tools often have limitations with certain programming languages and often fail to provide context and evidence specific to mobile environments when testing mobile apps.

The importance of mobile apps in the business world will only continue to grow, and those responsible for safeguarding them need to take extra steps to ensure new builds and updates remain secure. Security teams must adopt purpose-built mobile-specific automated security testing. By doing so, they can avoid coverage gaps, false positives and performance issues, all while keeping users and organizations protected from cybersecurity threats.

Avatar photo

Brian Reed

As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to- market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.

brian-reed has 3 posts and counting.See all posts by brian-reed

Application Security Check Up