The consequences of a mobile application security issue can be detrimental, and mobile teams must prepare for everything from third-party bugs to cloud security issues and beyond. However, NowSecure MobileRiskTracker data finds that a shocking 85% mobile apps found in the Apple App Store and Google Play contain security and privacy issues.
A recent webinar with NowSecure Chief Mobility Officer — Brian Reed, Bitrise Developer Advocate — Moataz Nabil, and Camelot Lottery Solutions Lead Software Engineer in Test — Panos Megremis covered how to shift left with security testing, integrate DevSecOps practices into your mobile CI/CD pipeline and more. This post covers the highlights and top lessons we learned from the group.
Work With CI/CD Pipelines for Mobile Apps
Before we get into DevSecOps best practices, let’s introduce DevOps and the use of CI/CD (continuous integration/ continuous deployment) pipelines for mobile apps. DevOps best practices help mobile engineers to optimize workflows and practices to improve release cadence, optimize development cycles, and more.
With Mobile DevOps and mobile CI/CD pipelines, mobile engineers can manage workflows, run mobile builds, and release faster and better mobile apps. A mobile CI/CD pipeline could include steps and workflows for mobile engineers to set up environments, perform UI and unit testing, deploy to app stores, and more. The goal of mobile CI/CD pipelines is to provide a frictionless experience for the developers and engineers who build mobile apps, while remaining safe and secure.
There are platforms like Bitrise — a fully-hosted Mobile DevOps and CI/CD platform — that are specifically designed for mobile apps. Bitrise helps mobile engineers build, test, and release iOS, Android, and cross-platform apps with third-party integrations with mobile tooling. These processes are often different and more complex than building traditional web apps.
Think Like a Mobile Attacker
In order to address mobile app security, you need to know what you’re protecting against. As Brian mentioned in the webinar, there are five main targets that mobile attackers are interested in:
- Personal data
- Financial account data
- Access to the backend system
- Trade secrets
“As a mobile app developer, it’s your responsibility to write secure code and test that code to ensure proper protections are in place.” advises Reed.
When it comes to mobile app security, you need to think like a mobile attacker because mobile apps have unique security challenges that web apps don’t often face. For instance, mobile apps have a broader attack surface than web apps do. And, mobile apps tend to strive for shorter release cycles with speed and frequency in mind, which can introduce security challenges. Getting inside the mind of a mobile attacker allows you to reverse engineer potential threats and prioritize security.
Share the Responsibility for Mobile Security
Mobile teams should adopt the “everyone is responsible for security” mindset by sharing security responsibilities across teams and injecting security checks earlier in the app lifecycle.
Mobile apps should be tested early and often. It helps mobile teams to fail fast and learn early to save production and development time. Shift-left testing involves moving mobile testing to the left in the delivery pipeline — in other words, testing the software earlier in the development lifecycle than is historically typical.
“It’s really important nowadays to get quick feedback,” says Megremis. “We should add security tests and get a security report in the early stages to understand that code has something that could cause a high-security vulnerability. That’s the whole point of DevOps.”
Balance Security and Speed
The DevSecOps framework expands the impact of DevOps by adding security practices to the software development and delivery process. It also resolves the tension between Mobile DevOps teams that want to release software quickly and security teams that prioritize security over all else.
Alt: Creating a DevSecOps strategy involves finding the right balance between app quality, security, and speed of development. Teams need to iterate quickly while remaining secure.
“If both security and development teams have a ‘what’s best for the business’ mindset, then they are more likely to be in sync throughout processes,” says Reed.
Choose a Suitable Security Testing Method
A successful mobile testing program includes aspects of the following four security testing methods.:
- Look for coding errors with Static App Security Testing (SAST): Analyze application source code to test for a range of known security vulnerabilities.
- Run the application and monitor for security defects with Dynamic App Security Testing (DAST): Analyze by physically running the app to test for a range of known security vulnerabilities.
- Collect security telemetry with Interactive App Security Testing (IAST): Insert security libraries/services into the app to analyze the application as it runs during dev, test, and/or production.
- Test back-end APIs with API Security Testing (APISec): Probing backend API endpoints and services to find security vulnerabilities.
The goal of mobile CI/CD pipelines is to provide a frictionless experience for the developers and engineers who build mobile apps, while remaining safe and secure.
Introduce DevSecOps Practices in your Mobile CI/CD Pipeline
Establish a set of written policies for security and development teams to follow. These policies should establish SLAs that determine how PMs write, how architects design, how developers code, etc. Follow industry standards like OWASP MASVS to set policies that meet security requirements.
💡TIP: Deploy a policy engine in your mobile pipeline to automate controls. It helps streamline and automate policies, so developers get requirements that are automatically tested based on policy.
Provide Security Training for Employees
Continuous security training helps developers address app store updates, language updates, and the rapidly changing mobile landscape. Proactive security training helps developers write more secure code. Security training should be role-based and should focus on mobile app security, leveraging OWASP MASVS.
Set Security Requirements
Security requirements help address vulnerabilities. Make sure to treat security requirements like all other functional and nonfunctional requirements. Use security requirements to address things like data encryption, network usage, data storage, crypto usage, etc.
💡TIP: OWASP MASVS has pre-written requirements based on industry standards and best practices that you can copy and paste into your workflows.
Facilitate Secure Code Development
Third-party code libraries can introduce security vulnerabilities. To mitigate risk, the security team can provide pre-approved libraries for reuse across apps. Additionally, an SCA scan should be done for all third-party libraries before loading it into the repository.
Automate Testing for Continuous Security
Automating security testing for your mobile application helps to continuously test for security vulnerabilities as the app is built. By testing the binary, you get 100% code coverage of all the code actually included in the application. Teams should run security workflows autonomously in the background to enable developers to release fast, without manual security testing that slows down release cadence.
💡TIP: Don’t forget to leverage a mix of SAST, DAST, IAST, and APISec. This can all be automated using NowSecure in your Bitrise CI/CD pipeline.
Monitor in Production
Continuously monitor the security status and test your mobile apps, even after release. Collect customer feedback about bugs and issues and integrate that feedback into developer workflows. Continuously monitor third-party integrations and updates that may introduce vulnerabilities.
Use NowSecure in Bitrise Mobile DevOps Workflows
“The ease of integrating NowSecure Platform, GitHub, and Bitrise and the efficiencies it brings are amazing,” says Megremis.
NowSecure plugs directly into Bitrise CI/CD pipelines. As developers build apps, Bitrise automatically passes the compiled binary to NowSecure. NowSecure automatically runs a full battery of SAST/DAST/IAST/APISec tests and then feeds the issues back into Github, Jira, or other ticketing systems.
In this way, developers get the best mobile-specific CI/CD platform integrated into the best mobile-specific AppSec testing platform for fast feedback loops. Together developers and security teams get high-quality and faster releases with security built in.
How Camelot Lottery Solutions Uses Bitrise and NowSecure to Build a More Secure Mobile App
Camelot Lottery Solutions uses NowSecure in its Bitrise CI/CD pipeline to eliminate delays in mobile releases, address security issues, and more. By integrating NowSecure into its mobile pipeline with Bitrise for its iOS and Android app, Camelot can now:
- Test the security, privacy, and compliance status of mobile apps in development
- Eliminate delays in security testing and app store blockers to release mobile apps faster
- Drive continuous improvement with accurate developer-friendly findings, remediation instructions, and code samples
Alt: Integrate NowSecure Android or iOS Bitrise Workflows to assess the security status of your mobile workflows.
Watch the webinar “How to build secure mobile apps effectively with DevSecOps” on demand to learn about DevSecOps best practices and see how Bitrise and NowSecure solutions help secure mobile apps from start to finish.