NowSecure Announces New ioXt Compliance Solution for IoT-Connected Mobile Apps and Mobile VPNs
Contact Us Test Your App

Deliver Secure Mobile Apps Faster

  • Products
    • NowSecure Platform
    • NowSecure Workstation
    • NowSecure Supply Chain Risk Mgmt
    • NowSecure Services
  • Solutions
    • Solutions by Need
      • Mobile App Security Testing
      • API Security Testing
      • Mobile DevSecOps
      • Mobile App Penetration Testing
      • Mobile App Vetting for Supply Chain
      • Mobile Standards & Compliance
    • Solutions by Industry
      • Government
      • Financial Services
      • Retail and Hospitality
  • Customers
  • Resources
    • Mobile App Security In the News
    • Mobile App Security Library
    • Blog
    • Events
    • Open Source Software
      • Radare
      • Frida
      • Capstone
  • Company
    • Team
    • Partners
    • Investors
    • Media
    • Careers
    • Contact Us
Contact Us Test Your App

Mobile App Security vs Web App Security

Andrew Hoog is Founder of NowSecure and a Board Member.

How are mobile and web security different?

Because your code runs on somebody else’s device, there’s a much bigger attack surface than if your code is running on a server that you control behind firewalls and things of that sort. So there’s actually quite a bit of attack surface there.

Mobile devices collect a lot of information that your browser or your computer doesn’t collect. Mobile devices go with us everywhere.

How does NowSecure focus on mobile app security?

We tend to focus on flaws that would really impact the integrity of the data, the information about the individual … and there’s a whole bunch of ways that things can go wrong there.

Traditional things like a man in the middle attack, where developers struggle with how to implement encryption. There’s a couple of big mistakes that they make. One of them is they try to roll their own, which is a very bad idea, and they shouldn’t do that.

The second thing that developers tend to do is they will have test code that makes it easy for them to develop without all those security controls in place. Sometimes they’ll forget to re-enable all of the controls when they go to production, or they simply won’t understand how to do it properly. So there’s a lot of different things that can go wrong.

How does 3rd party code affect app security?

It’s complicated significantly by the fact that mobile apps contain a lot of third party code. The challenge folks have is not only did I write my application, but did the third party library that I’m using properly write in their code and test it? When I make an update and they have a new SDK, is that one secure?

What can go wrong trying to set up your own mobile app testing?

There’s a lot of things that can go wrong:

  • Your data not being protected in transit.
  • Leaving sensitive information on the device.
  • Configuration issues that will lead to your data being backed up or transmitted.
  • Leaving too many activities world-readable, world-accessible so that other apps on the phone can extract information.

Best practices when thinking about mobile app security

NowSecure found the best way to deal with [mobile app security], coming from our forensics background, is in a very empirical way. You can do a bunch of testing of your code. You can do source code analysis and typically generate a lot of false positives. You spend a lot of time looking at the results. Or, you can simply look at your app in a hostile environment and then find out:

  • Am I able to intercept the traffic?
  • Do you leave sensitive data on the device?
  • Could I do a sequel injection attack against your mobile app?

That empirical approach has allowed us to eliminate almost all false positives, but to also interrogate the application in a hostile environment — which is exactly what you need to do when you secure your app.

NowSecure believes mobile apps and mobile devices can be a more secure way for enterprises and agencies to operate. The important premise to that entire idea is that you make sure that you vet your mobile apps ahead of time so when they are actively in a hostile environment, they’re able to thwart that attack.

What we find today is about 85% of the apps out there don’t successfully repel an attack. There’s a long way that the industry has to go. The great news is that we built a lot of tooling to help address that with automation.

NowSecure’s goal is to make sure the mobile apps you produce are as safe and secure as possible. Try a demo of our Platform today to see the difference we can make!

« Previous
Next »

Primary Sidebar

Stay Connected

Subscribe Now

Categories

  • Best Practices 77
  • Company News 36
  • Customer Success 9
  • Industry News 282
  • Mobile Security Solutions 74
  • Research & Threat Intel 110
Watch NowSecure Webinars

Webinars

Best Practices for Mobile App Security

Best Practices

NowSecure Resources

Resources

Tags

  • AI
  • Android
  • API
  • API security testing
  • Application Analysis
  • Application Development
  • Applications
  • Application Security
  • Appsecure
  • app store
  • App Vetting
  • AR
  • Arbitrary Code Execution
  • automated
  • Automated security testing
  • automated security testing tools
  • automation
  • automotive
  • Azure DevOps
  • Banking
  • benchmarks
  • Biometrics
  • Blackberry
  • Black Hat USA 2019
  • Blackphone
  • blockchain
  • BYOD
  • certificate pinning
  • chatbot
  • collaboration
  • Compliance
  • Connect19
  • connected car
  • COVID-19
  • CVE
  • CVSS
  • CWE
  • DAST
  • Data Security
  • Detection
  • Development
  • Device Security
  • DevOps
  • DevSecOps
  • digital transformation
  • dynamic analysis
  • Embedded
  • Exploit
  • Featured
  • Federal Government
  • Finance
  • fitness
  • Forensics
  • Frida
  • Fuzzing
  • gartner
  • GDPR
  • Google Io
  • Government
  • health care
  • Healthcare
  • HIPAA
  • hospitality
  • hotel
  • How To
  • IAST
  • infographic
  • Intel
  • iOS
  • IoT
  • Kotlin
  • learning
  • Malware
  • malware analysis
  • MAM
  • Manufacturers (OEMs)
  • MDM
  • mobile
  • mobile application
  • mobile application security testing
  • Mobile application security testing tool
  • mobile app privacy
  • mobile apps
  • mobile app security
  • mobile app security testing
  • mobile app vetting
  • Mobile DevSecOps
  • mobile digital transformation
  • mobile operating system
  • Mobile Security
  • MobSec5
  • Nexus
  • NIAP
  • OAuth 2.0
  • obscurity
  • Open Source Tools
  • OSS
  • OSX
  • OWASP
  • pandemic
  • Partners
  • Patch Cycle
  • penetration testing
  • privacy
  • Privilege Escalation
  • Product Updates
  • R&D
  • Radare
  • ransomware
  • Real Estate
  • remote work
  • Research
  • Responsible Disclosure
  • retail
  • reverse engineering
  • risk management
  • scoped storage
  • SDLC
  • Security
  • Security automation
  • Security testing
  • shopping
  • SOC2
  • staffing
  • standards
  • supply chain
  • threat modeling
  • Tools
  • TouchID
  • Training
  • Videos
  • Vulnerabilities
  • Wearables
  • XCode

NowSecure Products

  • NowSecure Platform
  • NowSecure Workstation
  • NowSecure Supply Chain Risk Mgmt
  • NowSecure Services

Solutions

  • By Need
  • By Industry

Resources

  • Resource Library
  • Events
  • Blog
  • OSS
  • Customer Support

Company

  • About Us
  • Team
  • Partners
  • Careers
  • Customers
  • Contact Us
Follow Us
© 2021 NowSecure All rights reserved. License Privacy Policy Disclosure