The average global enterprise includes more than 53,000 mobile devices,1 and 33 apps reside on the average mobile device.2 That extrapolates to as many as 1.7 million mobile apps installed within the average enterprise–creating a large potential blind spot when it comes to enterprise mobility risk. While the Apple® App Store® and Google Play™ store do assess apps against basic requirements prior to publishing, enterprises and government agencies require more scrutiny. Because organizations need visibility into the security status of public app store apps, we’ve extended the NowSecure Platform to provide “AlwaysOn” mobile app vetting for third-party mobile apps with our new NowSecure Intelligence™ product–if you’re interested in early access, apply now.

What sets NowSecure Intelligence apart

NowSecure Intelligence is the only mobile software testing solution to perform dynamic analysis by installing a target app on a physical Android or iOS device, as opposed to an emulator. This approach allows for the NowSecure engine to exercise the app as a user would–resulting in deeper analysis, more accurate results, and more thorough inspection of dependent third-party libraries, app components, and server connections.

Every time a mobile app is released or updated on the Apple App Store or the Google Play store, NowSecure Intelligence automatically downloads the .apk or .ipa, installs it on a physical device, and performs detailed analysis within a live network environment. The analysis includes subjecting the app to the most commonly exploited attack vectors such as man-in-the-middle (MITM) attacks and evaluating the app’s use of certificate validation and pinning.

Deep, fast, AlwaysOn security analysis of public apps

The Department of Homeland Security has recommended3 that organizations be aware of mobile apps that gather privacy-sensitive information, exploit vulnerabilities, or access enterprise networks and data. In our 2016 NowSecure Mobile Security Report, we found that 25 percent of the public apps we tested included at least one high-risk security issue. To reduce mobile enterprise risk and ensure compliance, enterprises and government agencies need deeper analysis of the mobile apps installed and used on employee-owned and corporate-owned devices. But at the same time, that depth cannot come at the expense of the speed businesses demand.

Our new NowSecure Intelligence product performs deep and fast static, dynamic, and behavioral analysis to identify critical mobile app risks including sensitive data in transit, network traffic destinations, code flaws, sensitive data storage, and third-party components. Because the engine continuously crawls the Apple App Store and Google Play store, customers have access to up-to-the-minute security assessment findings for the latest versions of Android and iOS apps available on the public stores empowering enterprise mobility teams and security teams to make quick, informed decisions.

Enterprises that deploy enterprise mobility management (EMM) or mobile device management (MDM) solutions have expressed a need for more detailed, actionable data about the security risk of mobile apps used by their employees. For example, an enterprise mobility team might set out to evaluate file-sharing apps for deployment among their users. The team may want not only information about the security status of the most recent version of shortlisted apps, but also historical data about the app’s security posture and the developer’s history and reputation over time. In addition, enterprises need up-to-date visibility into the security status, compliance, and privacy practices of both business and consumer apps deployed on employee devices including social media apps, messaging apps, e-mail clients, banking apps, and more.

How we built a more powerful mobile app vetting engine

In order to properly identify security threats, compliance gaps, and privacy issues in a mobile app, security teams need to achieve a sufficient level of code coverage.

Coverage should include:

  • Static app security testing (SAST): Scanning the mobile app binary to identify flaws in an app’s code.
  • Dynamic application security testing (DAST): Observing a mobile app during runtime resulting in deeper analysis to identify more security, compliance, or privacy issues. Dynamic analysis monitors network communications to determine whether they’re properly secured, checks for proper API implementations, and investigates whether sensitive data (e.g., login credentials) is sent unencrypted.
  • Behavioral testing: Behavioral analysis can uncover improper usage of on-device resources like contacts lists, or identify information written to local storage insecurely. Testing mobile app binaries on real devices can identify ways an attacker might exploit a mobile app, highlight developer errors, or flag insecure interactions with backend services.

 

Key features and our early access program

Over the past few years, we’ve refined our NowSecure automated mobile app vetting architecture with a focus on delivering the world’s most comprehensive dynamic analysis and behavioral analysis for custom apps. Now we are extending these advanced capabilities into commercial app store apps and welcome our customers and new organizations to join us in the early access program.

Easy diagnosis of app security risk with security score

Based on the NowSecure Platform’s advanced testing and analytics, we use a proprietary weighting system developed by our renowned research team that combines the risk scores of multiple findings into a single measure of risk for a mobile app–the NowSecure Security Score. Each individual app version is rated with a score from 0 to 100 for an easily referenceable quantification of the security threats, compliance gaps, and privacy issues found within the app. Apps with a higher score are perceived as more secure because they include fewer risks.

Each security issue is measured using the Common Vulnerability Scoring System (CVSS), a universal, open, and standardized method for rating IT vulnerabilities. Issues found during analysis with higher CVSS scores have a larger impact on the total NowSecure Security Score, as these issues present greater potential for compromise.

In the example screenshot below, the sample app has received a “Fair” rating based on several vital security issues given medium-to-high CVSS scores.

NowSecure Intelligence Screenshot: App with Fair security score

In comparison, the TripIt app for iOS receives an “Excellent” rating because the app is secured against many forms of attack and adheres to industry best practices.

NowSecure Intelligence Screenshot: App with Excellent security score

Always delivering value

With millions of apps on the market, our mission is to deliver automated analysis and risk scores that enterprise security and mobility teams can trust and use to make informed decisions about the Android and iOS apps they deploy to their users. There is much to come with NowSecure Intelligence and we look forward to sharing ideas and hearing feedback from early access participants.

Contact us for a demo and access to our database

If you’re interested in deeper, more comprehensive vulnerability information about commercial mobile apps and want to join our early access program, apply here.


1How Much Is the Data on Your Mobile Device Worth?” Ponemon Institute LLC

22016 Internet Trends Report” Mary Meeker

3Study on Mobile Device Security” Department of Homeland Security

What to read next:

Sam Bakken

linkedin icon twitter icon

Former Mobile App Security Testing Evangelist

During his time at NowSecure Sam advocated for keeping mobile devices, apps, and users secure through mobile app security testing.