As 2018 draws to a close, it’s been a busy and exciting year in mobile appsec. Thank you to our thousands of readers for accompanying us on the journey to safeguard data and deliver secure mobile apps faster.
Year-end presents an opportunity to reflect on some of the news, insights and practical advice shared in our blog. With that, we present to you a list of our Top 10 2018 articles about mobile application security and DevSecOps.
Here are the 2018 Top 10 blog posts based on popularity in descending order:
10. “U.S. Soldiers and Athletes Using Strava Social Fitness Apps: Finding Risky Mobile Apps That Share and Leak Data”
A series of mobile apps built by or connecting with STRAVA have been sharing and publishing activity by geolocation, including what should be highly confidential information about U.S. personnel and military staff locations. Get recommendations on how to protect your organization and staff from risks like STRAVA data collection and sharing.
9. “Key Mobile App Security Standards to Look for In Your Testing Tools”
As organizations dig into secure coding and testing best practices, they quickly discover a variety of sometimes confusing approaches and solutions for mobile app security testing. Security professionals and leaders alike can ease the process of finding the testing tools that best fit their needs by requiring certain mobile app security standards in their selection criteria.
8. “Benchmark Analysis Reveals Risky Mobile Apps in Apple® and Google Play™ Store”
A staggering 85% of the 45,000 mobile apps reviewed for this benchmark analysis violated at least one or more of the OWASP MASVS. Read this report to learn about significant risks of data leakage in mobile apps due to insecure data storage, network communications and coding practices that must be addressed on mobile appsec programs.
7. “A 3-Part Mobile App Security Testing Checklist to Build Your Program”
We’ve assembled a checklist of three key questions to help security analysts and developers craft a more effective list of mobile testing requirements. To design a successful program that minimizes security risks in mobile apps, examine the type of testing, testing coverage and requirements.
6. “TLS 1.3: 4 Key Takeaways for Mobile Security Teams”
The Transport Layer Security encryption protocol was updated in March with the Internet Engineering Task Force’s release of version 1.3. This blog explains how TLS 1.3 affects mobile development and security practices for appdev or appsec teams.
5. “How Google Aims to Reduce Mobile OS Fragmentation with Android API Levels”
Google seeks to reduce Android fragmentation by requiring developers to adopt recent target API levels for all new apps. This blog spells out what’s changing with Android API levels and when.
4. “Q&A: What Is It Like to Be a Mobile Security Researcher?”
Keeping pace with ever-increasing mobile security threats is a team sport that requires the support and performance of many key players. Francesco Tamagni, a senior security research engineer here at NowSecure, talks about his role helping customers find and fix vulnerabilities to secure their mobile apps.
3. “Adventures in Remote Code Execution and Zip File Vulns — from Samsung and Vungle to ZipperDown”
As with all things mobile, there are both secure and insecure ways of downloading and using zipped content. After Pangu posted about iOS zip file download issues identified as ZipperDown, we relayed our previous zip file download and remote code execution disclosures for Samsung and Vungle. The post also shared suggestions for dev and security teams.
2. “Introducing Jailed Testing with NowSecure”
NowSecure in 2018 debuted jailed testing capability to automate mobile app security testing of factory-standard iOS devices with no jailbreak required. This important advance and industry first enables security teams to keep up with testing their apps on the most current version of iOS without building custom code, deploying a proprietary SDK or creating custom iOS application builds.
1. “A Security Analyst’s Guide to Network Security Configuration in Android P”
With the release of Android P in August, Google required mobile app developers to support HTTPS or deploy Network Security Configuration to safeguard network communications. This timely blog helped many readers understand the benefits of implementing Network Security Configuration in their Android apps and learn how to do so. And in case you missed it or want a refresher, you can learn more about Android P security updates in this webinar recording.
Overall, posts about new mobile OSes and features, mobile app vulnerabilities, technical tips and mobile appsec testing innovations were quite popular this year. Please continue to watch for more useful content in 2019 and don’t miss our 2019 Mobile App Security Predictions webinar on Jan. 23.