How are mobile app and web app security different?
The biggest thing that we see out in the world is that the old school doesn’t work anymore. You know people think that they can apply these techniques and methodologies that were used for web app testing for a long time, but you know running a simple scan or you know looking at some code unfortunately just doesn’t protect your billion-dollar enterprise’s mobile app anymore. There’s a whole package that gets built and that’s what’s released to the world which is completely different from web application testing. So we talk a lot about and educate our clients about what goes into those packages and the risk that it exposes them to, and how web testing approaches applied to mobile leaves gaps..
How is mobile application security changing?
When we’re talking about how mobile is changing, if this was the stock market they would be saying there’s a bubble ’cause there’s a disparity now between the presentation layer and the security testing being done. So we have this long history of testing web applications but you know now that more and more users are going mobile we’ve crossed that threshold but there’s a huge disparity in investment and expertise in web application testing versus mobile security testing.
What are the biggest mobile app vulnerabilities we find?
So on customer calls talking about vulnerabilities in their apps running out in the wild, I think that the biggest one that we see problems with unencrypted data transmission otherwise known as “data in motion.” This means an attacker can essentially insert themselves into that data stream and potentially manipulate things while having visibility into private information — potentially damaging information. So this is a big issue compared to web due to the architecture of mobile devices and and apps, where organizations are doing testing that’s good enough for web apps but they’re leaving a hole exposed for mobile.
What common problems do customers face in mobile app security?
So when talking to customers and looking at large data sets of hundreds of thousands of mobile apps that we’ve examined, one of the big problems that we’re seeing is failures with certificate or hostname verification. So when I’m using a web app browsing the web my browser is actually handling that piece of security for me – no extra code for the developer to make it work. So web app developers and security testers haven’t had to account for that in the past. With mobile applications, there is no innate functionality to be able to do that so it has to be coded by the developer at the mobile application level and that’s something that often is a knowledge gap and we see mobile applications out there not perform that action just as a result of not knowing it’s even needed or how to do it properly.
How NowSecure can help
So what really resonates with customers when we show them the capabilities of our toolset is just the level of technology and execution that we have. So there have actually been meetings I have attended in the past where the people we’re talking to didn’t actually believe that we had achieved what we were saying. So you know being on the bleeding edge having this cool way to basically automate what has historically been a very manual process is amazing. As soon as that realization hits a customer that you can see them respond, “Whoa!” and once it sinks in they respond, “Man I can use this here.” They get excited about how powerful the tools are and easy to use which is really fun to see.
Don’t let common mobile app vulnerabilities bring you down.
Get your free security report today and experience the NowSecure difference.