Vulnerability Assessment and Penetration Testing (VA/PT) is common for any business-critical mobile apps.
It’s clear to see why this recommended practice for online services has also been applied to mobile apps. If you are installing code that handles sensitive data, transactions, and IP on unmanaged devices – and that describes most mobile apps – you first want to check it doesn’t have any obvious security weaknesses.
What is VA/PT?
Vulnerability Assessment analyses your app, providing you with a report of coding errors and oversights that could potential be exploited by a hacker. While Penetration Testing tries, in a controlled manner, to exploit the vulnerabilities. This gives you, as the app developer, a chance to correct these weaknesses before the app is published.
VA/PT takes two different approaches: static and dynamic testing; both with their pros and cons. Static Application Security Testing (SAST) scans your code and app package – effectively reading your code, looking for any patterns that are known to lead to security weaknesses; while Dynamic Application Security Testing (DAST) will run your app in as close to production environment as possible – looking at how the app interacts with the runtime environment and seeing if any exploitable interfaces are exposed.
As mobile apps are not fixed entities but something that evolves rapidly over time – every 2 weeks is not uncommon – VA/PT testing tends to be an automated process that integrates into your build pipeline. This is particularly true for SAST.
So far so good, so what’s the problem?
Most automated VA/PT solutions treat your app as a locked box. Even when the VA/PT service has access your code for whitebox testing, they assume an attacker can only target the external interfaces and behaviours of the app.
That viewpoint may have been valid for online services when the software was installed inside the IT infrastructure (either on-premise or cloud); but it isn’t how an attacker sees your mobile app. With the app installed on end user devices, an attacker sees an open book, ready to be reverse engineered and manipulated. Freely available tools quickly allow anyone to lift an app off a phone and crack it open.
Zero-day vulnerabilities
Reverse engineering means an attacker can find zero-day vulnerabilities within your code that your chosen VA/PT isn’t aware of. They can also find secrets, such as API keys and cryptographic keys, that enable the attacker to unlock other parts of your ecosystem.
If that wasn’t bad enough, the bad guys will manipulate the behaviour of our app. This often takes the form of man-in-the-device attacks, where an attacker can take control of your executing app.
Two of the most common man-in-the-device attacks Verimatrix is seeing at the moment are:
- Overlay attacks – where malware will put an invisible window or screen on top of the running app to capture key entry and syphon off sensitive data.
- Emulator farms – giving attackers the ability to automate attacks at scale.
Closing the book and defending against these attacks means making the apps self-defending – going beyond hardening the app’s interfaces to hardening the code itself. This is where Software Shielding comes in. Enterprise-grade Shielding solutions are there to protect your app once it is deployed out into the wild. They build layers of protection into your code – such as advanced obfuscation, runtime environment checks and integrity validation – to thwart attackers reverse engineering the code and stop them using man-in-the-device techniques to take control of the app.
A good professional Shielding solution will turn your mobile app into the locked box that your VA/PT solution thinks it is.
It is for these reasons that the OWASP Mobile Top 10 recommends hardening your code as well as scanning for vulnerabilities.
VA/PT may tell you your app is vulnerable to a man-in-the-middle attacker; but you need Shielding to defend against reverse engineering and man-in-the-device attacks.
To discover how easy it can be to Shield your app, why not try Verimatrix XTD Prevent (formerly App Shield) today?
See how we can help protect your business:
• Mobile applications and APIs
• Video content
• Digital payments
