New service provides deep dive pen testing for thousands of SDKs used by millions of mobile app developers to enable them to safely build high quality, secure mobile apps faster
CHICAGO – July 12, 2023 — NowSecure, the recognized experts in mobile security and privacy, today launched a major expansion of the NowSecure Pen Testing as a Service (PTaaS) with a new SDK Pen Testing Service to help protect the global mobile software supply chain. Leveraging over a decade of penetration testing experience for more than 11,000 mobile apps and recognized industry security standards, this new NowSecure Service provides deep-dive testing of first-party and third-party mobile SDKs built and used by open-source teams, commercial SDK vendors and enterprise mobile app developers.
Mobile app developers rely on third-party SDKs to speed delivery of their mobile apps with rich functionality and dependable infrastructure. The typical mobile app uses 8-15 mobile SDKs from commercial vendors and the open-source community. Overall, analysis shows over 30,000 mobile SDKs in use around the world including authentication, location data, ads and monetization, push notifications and messaging, crash analytics, image processing and more. However, NowSecure Pen Testing Services findings reveal that more than 50% of apps fail at least one critical standards-based control due to the mobile SDKs they integrate. Recent malicious SDKs and supply-chain attacks like Pushwoosh, Tushu/Twhoshu and Mintegral put mobile development teams and mobile users at risk. To help developers, security and privacy teams ensure the safety of their mobile SDKs, NowSecure SDK Pen Testing Service provides visibility into security, privacy and compliance risks of mobile SDKs.
“The current late-stage process of identifying issues with mobile SDKs after they have been built into a mobile app makes it very difficult for development, security and privacy teams to respond without damaging the business,” said NowSecure CEO Alan Snyder. “Today we are empowering mobile development teams to choose wisely before they include an SDK in their mobile app, so they can build, ship and upload to app stores faster with confidence that their mobile app is safe for use and meets industry requirements.”
NowSecure SDK Pen Testing Service helps protect the software supply chain across the entire mobile app ecosystem and developer community.
- Developers who use commercial and open-source mobile SDKs can secure their mobile apps against SDK supply-chain attacks, protect from SDK data leakage, and ensure compliance with industry mandates and regulatory requirements. The service includes a comprehensive report and expert consultation.
- Manufacturers of commercial SDKs can drive user trust and grow downloads by providing independent verification that they meet the high bar of standards-based security and privacy, while enabling their end customers to comply with industry mandates and regulatory requirements. The service includes a comprehensive report and NowSecure Letter of Attestation that can be used to demonstrate the rigorous security and privacy testing performed by NowSecure.
NowSecure Pen Testing as a Service methodology uses recognized industry standards from the OWASP Mobile App Security (MAS) project and Google’s App Defense Alliance (ADA) Mobile Application Security Assessment (MASA) program. NowSecure PTaaS combines continuous automated security testing and expert pen testing to deliver the frequency, depth and coverage to meet the needs of all organizations. This new NowSecure SDK Pen Testing Service joins the industry’s most complete suite of mobile-specific pen testing assessment services including Rapid, Targeted, Full Scope, OWASP MASVS and ADA MASA.
In addition, the NowSecure SDK Pen Testing Service enables mobile app developers to meet the latest app store attestation requirements for the Apple Privacy Nutrition Labels for iOS apps and the Google Google Play Data Safety section for android apps. Showcasing their dedication to privacy and transparency into how user data is handled and processed, Apple and Google have made developers responsible for attesting to how mobile user data is collected, used and transmitted for first-party, third-party and open source code. Mobile app developers who do not properly account for SDKs, their data handling practices, and the vulnerabilities they may introduce can result in costly release delays and app store rejections.
The new NowSecure SDK Pen Testing Service is available to assess individual or multiple commercially developed, open source or internally developed mobile SDKs. In addition, organizations can request a NowSecure Mobile App Supply Chain Risk Assessment for expert review of a single mobile app with identification of all third party SDKs in the app, a security and privacy analysis of these third party SDKs, and a comprehensive report plus expert consultation.
The NowSecure SDK Pen Testing Service joins the industry’s only full suite of mobile app security and privacy solutions from NowSecure including NowSecure Platform for automated security and privacy testing, NowSecure Workstation kit for pen tester productivity, NowSecure Supply Chain Risk Management, NowSecure expert Mobile Pen Testing as a Service (PTaaS), and NowSecure Academy training courseware for dev and security teams.
As the recognized experts in mobile security and privacy, NowSecure protects the global mobile app economy and safeguards the data of millions of mobile app users. Built on a foundation of standards, NowSecure empowers the world’s most demanding organizations with security automation to release and monetize 30% faster, reduce testing and delivery costs by 30% and reduce appsec risk by 40%. Only NowSecure offers a full solution suite of continuous security testing for DevSecOps, mobile app supply-chain monitoring, expert mobile pen testing as a Service (PTaaS) and training courseware. NowSecure actively contributes and supports the mobile security open-source community, standards and certification including OWASP MASVS, ADA MASA, NIAP and is recognized by IDC, Gartner, Deloitte Fast 500, and TAG Cyber.