Mobile apps account for more than half of all worldwide Internet traffic and already outpace web apps for career services, ehealth, personals, weather and food retail, according to CommScore. To meet growing demand for mobile apps, many organizations have turned to low- and no-code mobile application development tools to expedite software delivery. However, taking a useful shortcut to get apps built doesn’t mean they can skimp on security.
Low- and no-code mobile app development tools provide drag-and-drop graphical user interfaces, forms and visual workflows to enable organizationes to quickly build mobile apps with little to no coding. Sometimes delivered in a Platform-as-a-Service model, these tools fall into three general categories: no code, low code and cross-platform. Popular offerings include Adobe PhoneGap, Appcelerator, Appery.io, AppMachine, Appmakr, AppyPie, Betty Blocks, Bizness Apps, Good Barber, NativeScript and Xamarin, among others.
Companies large and small tap these mobile app dev platforms to save time and accelerate software delivery. Typical use cases include mobile apps for internal use by employees to drive operational efficiency such as parts lookup, inventory or job scheduling; apps that need to be quickly produced for customer service such as customer lookup or order status; and apps for short-term use, such as an in-store sales campaign or specific event. These mobile app dev platforms empower semi- and non-technical users to become so-called “citizen developers.”
Tools of the Trade
Low-, no-code and cross platform development tools speed app release times to better support the organization, but one downside is that they can increase the risk for data exposure. Mobile apps that aren’t properly tested expose the organization to security, compliance and privacy risks. Vulnerabilities that leak private customer data could cripple a brand. But sadly, few people ponder the security of apps developed via these methods because they are ignorant of the security risks in the first place or assume proper security is built in.
Companies generally use a mix of commercial apps, consumer apps, web-responsive apps and native apps. Whether they are developed inhouse or outsourced, all apps must be thoroughly tested for security, privacy and protection of sensitive data. Given that mobile apps are different than web apps, they require a different type of testing that can be truly challenging for developers and “citizen developers” alike.
Traditionally performed on web apps, static testing analyzes the source code for vulnerabilities. Not only is static testing alone insufficient for mobile apps, but there’s no source code to examine via static when apps are built via no-code tools. As a general rule, none of the traditional security testing vendors that rely on static testing engines can support any of these categories of apps.
Dynamic testing observes the app binary at runtime to discover vulnerabilities, irrespective of source code language. Business users and security organizations should seek out mobile appsec testing solutions such as the one offered by NowSecure that perform automated dynamic testing of compiled or generated app binaries (iOS ipa and Android apk). NowSecure AUTO tests data storage to identify on-device data leakage, network communication for data leakage or interception over the air, and coding and functionality to uncover vulnerabilities such data leakage or exposure to man-in-the-middle attacks.
Security Shortcomings
A NowSecure examination of mobile apps revealed poor security overall. Our benchmark analysis of 45,000 Android and iOS mobile apps showed that 85% violated one or more of the OWASP MASVS. Nearly half suffered from insecure data storage or communication and one-third exhibited code quality issues or vulnerabilities.
The retail industry in particular tends to use low- or no-code tools to develop mobile apps. Our recent benchmark evaluation of leading retail and deal-finding apps found that 93% violated one or more of the OWASP MASVS. Common problems included insufficient keysize, leaked data, improper use of cookies, and lack of proper secure certificate use. The worst failures were attempts to run as root, sensitive data leakage, certificate validation failures, world readable/writable files, and unencrypted data transmission over HTTP.
NowSecure has tested numerous mobile apps built with no-code, low-code and cross-platform development tools and found a mixed bag of risk results. Some of these platforms and tools are more secure than others. And even when testing multiple apps built with the same tool, security scores of mobile apps built with those tools can surprisingly vary widely — our testing shows some with high scores and some with low scores, sometimes with no obvious patterns. The only way to truly know the security of mobile apps built with these tools is to test them properly yourself with tools like NowSecure software or outsource pen testing to experts like NowSecure professional services.
Manage and Mitigate Risk
Low- and no-code tools definitely have a place in organizations and employees are going to use them whether they’re sanctioned or not. But security leaders can better protect their organization by adopting the following best practices for using these kinds mobile app development tools.
- Confirm built-in security capabilities from your app dev tool vendor. Consider using enterprise-oriented tools like Betty Blocks, Dropsource or Microsoft PowerApps.
- Ask the app dev tool vendor to provide security certifications for any mission-critical applications.
- Test the mobile app binaries that your organization develops and ensure the security testing tool includes dynamic testing to cover all the risks. See how NowSecure AUTO can meet your needs with a demo.
- Outsource penetration testing to third-party experts like NowSecure to reduce risk.
