man holding smartphone with secure applications

Q&A with NowSecure: on Mobile Security and Application Testing

By Community Team

A study conducted by the Pew Research Center, released in January of 2017 revealed that 77% of Americans now own a smartphone. And it’s easy to see why smartphones have become popular devices: they give users access to a number of applications and functionalities that aim to entertain, inform, assist, and save time. Mobile applications for smartphones (whether paid or free) are readily available through app stores and can be easily downloaded in less than a minute. This access to the sheer number of applications, whether for pleasure or for business, is simply staggering. And given this rise in personal mobile and mobile applications over the past number of years, businesses are (and have been) actively pursuing mobile and mobility as an applicable channel for customer outreach, marketing initiatives, tech support, and more.

For enterprises, mobile applications and mobility are assets; however, choosing this mode of communication also inadvertently opens up a Pandora’s box of security threats. Simply take a look at two of the top performers in the mobile industry. While Apple prides itself for its security features, but in the past, browser ransomware, the“Celebgate” iCloud attacks, and other security challenges appeared in tech headlines. Android is no exception as it is also a target of threats and vulnerabilities like well-publicized issues like the QuadRooter problem and Moonpig, and an almost omnipresent Malware problem. All of these instances demonstrate how using an application on any operating system can expose a user’s personal information and files, and how a rigorous testing period is important to ensure a safe, rapid user experience.

In order to avoid common issues like bad data storage, malware, data leaks from syncing, and other common mobile app security issues,  both app creators and enterprises are encouraged to be proactive in security measures and to ensure all potential threats are covered. Enterprises can do this through mobile app security testing, which can help to test applications for security issues, privacy problems, and compliance gaps.

SourceForge recently spoke with Sam Bakken, the Mobile App Security Testing Evangelist at NowSecure, to discuss some of the serious threats faced by consumers of mobile applications, and how proactively subjecting custom or third-party commercial apps to mobile app security testing can save enterprises (and their users) from the risk of security breaches.

Q: Can you share a brief company background on NowSecure as well as the company’s vision, mission, and some current clients?

A: NowSecure was founded in 2009 as a mobile forensics company with a mission to protect businesses and consumers from risky mobile apps that expose them to cyberattack, leak sensitive data, or violate industry compliance rules. Our founder literally wrote the book on mobile forensics for iOS and Android, and over the years our world-class security researchers have identified numerous mobile vulnerabilities and built reversing and app security testing tools including renowned open-source tools Frida and Radare. Since then, NowSecure has helped hundreds of clients secure millions of apps used by customers and employees around the world. Only the NowSecure Platform delivers automated 360-degree coverage of mobile app security testing 8X faster and 3X deeper than any alternative. The NowSecure Platform consists of software for hard-core penetration testing of custom mobile apps, rapid cloud-based security testing of custom mobile apps, expert penetration testing services and training, and always-on cloud analysis for third-party apps on the Apple® App Store® and the Google Play™ store. The world’s most demanding organizations and advanced security teams–4 of the top 5 banks and government agencies–trust NowSecure to identify the broadest array of security, privacy, and compliance gaps in custom, third-party, and business-critical mobile apps.

Q: The company was rebranded in 2014 from viaForensics (formerly viaExtract) to NowSecure. What was the reason for this change? Why did you decide to shift the focus to individual and enterprise device protection?

A: We grew up in mobile forensics (some of your readers might know our open-source Linux distribution for mobile forensics — Santoku Linux). That forensics pedigree is part of why we’re so good at mobile app security analysis and are able to perform some of the testing we’re capable of. In mobile forensics, though, we were called in after something had already gone wrong. To attack a core root of the mobile security problem, we switched our focus to helping make mobile apps secure before they’re deployed. That way fewer mobile app vulnerabilities make it out the door — a more proactive approach.

Q: What solutions do you offer to help companies address their mobile security? What sort of tools, features, and analytics do you provide to help monitor and secure apps?

A: Government agencies and companies in the financial services industry choose NowSecure because we deliver mobile app security testing at a depth and speed no other vendor can touch. As mobile evolved, a lot of organizations were using legacy app security testing technology — static source code analysis for instance — that left most of the real-world mobile attack surface unexplored. Or, they were piecing together an amalgam of web and mobile testing tools that became unwieldy to manage. NowSecure has created truly unique, purpose-built software that analyzes mobile apps from an attacker’s perspective — providing a much more accurate picture of the actual vulnerability of an app. Our products and services perform static, dynamic, and behavioral analysis of the mobile app binary, post-compilation — making our coverage 3X deeper with the highest accuracy and fewest false positives in the industry. Dynamic and behavioral analysis of iOS apps is especially difficult. We’re the only vendor in the world that can provide real dynamic and behavioral analysis on iOS, and we do it on actual physical devices instead of emulators. That always wows the security teams we talk to and serve.

Q: What challenges exist for global enterprises and government agencies in terms of app security? How can NowSecure help address and overcome these challenges?

A: The main challenges in mobile app security are the lack of mobile-specific app security domain knowledge, the volume of apps that need testing, the inadequacies of existing tools, and a lack of insight into the security, privacy, and compliance status of apps from the official app stores. We find that 25% of mobile apps in production have at least one high-risk security flaw.

sam bakken content marketing manager nowsecure

Samuel Bakken, the Content Marketing Manager at NowSecure, believes that there are three big challenges in terms of mobile security.

First, security teams simply can’t keep up with the demands on their time. Gartner has said only 30% of mobile apps get proper mobile app security testing. A statistic cited by SANS says that developers outnumber app security staff 245:1. That’s a HUMONGOUS gap. Our software makes app security teams more efficient and allows enterprises to shift security left with automated testing earlier in the SDLC. Our customers report tests that used to take a security analyst an entire day can be completed in 30 minutes or less–more than 8x faster–with NowSecure. That means security analysts can test more apps and identify more vulnerabilities that can be fixed before they put businesses and users at risk.

Second, vulnerabilities are making it through because the tools used for security testing aren’t providing enough coverage. A lot of app security teams have to use tools built for web app testing – and many of those tools rely on static source-code scanning which leaves a whole lot of the app untested and reports too many false positives. Our solutions test the actual app binary, which is what an attacker would go after. And that testing is performed on an actual physical device with static analysis (looking at strings and third-party library calls), dynamic analysis (during runtime), and behavioral analysis (taking action to exploit the app as an attacker might). Put simply, because the NowSecure Platform offers 3x coverage, we’re finding things other tools do not.

We then combined our solutions for the volume and coverage problems to also continuously monitor the Apple App Store and Google Play store. We pull down and perform automated security testing of third-party commercial apps available in the stores. We can then provide enterprise mobility and security teams with deeper insight into the security and privacy practices of those third-party apps over time.

Q: Can you give us a brief overview of what your open-source tools Frida and Radare? What are the advantages of each?

A: Radare is an open-source reverse-engineering framework. Frida is an open-source dynamic instrumentation framework which allows you to inject code into running processes. Both tools allow people to take a deep look at an app through static and dynamic analysis. The purpose/functionality/behavior of some code may not be clear until you observe it at runtime, which Frida allows you to do. Comparatively, observing behavior at runtime is much more valuable if you’re also able to dive deep into the code that exhibits that behavior, which Radare allows you to do. Our commercial software incorporates both of these well-respected tools, and their creators Sergi Alvarez (Radare) and Ole André Vadla Ravnås (Frida) are on the NowSecure mobile threat research team.

Q: There are a growing number of open source projects and tools on the market: how has the rise and popularity of open source affected developers? What are the advantages and disadvantages of having this wide range of open source projects and tools to companies?

A: We’re big supporters of the open-source software movement. We’re deeply invested in the Frida and Radare projects, support the open-source Santoku Linux distribution, and published Android VTS – an open-source Android app that detects vulnerabilities on Android devices. Open-source software is great because more people can more easily contribute to the software and make it better (both Frida and Radare have incredibly vibrant contributor communities). Plus, because the code is open to the world, more people can evaluate it for vulnerabilities. And finally, there are more tools out there for developers to use and make even more and better tools. A disadvantage is that open-source projects are sometimes plagued by the same security problems that commercial software is. And some developers assume all open-source projects are always secure, which is simply not true. And then, when you have a large number of developers using a certain open-source project in their own projects, suddenly the attack surface expands very quickly and widely. The best way to know is to monitor the projects and make sure you’re using the most up-to-date versions of any project and then validate the security of your own projects with security testing.

Q: What does it mean when a mobile app is classified as “leaky?” How are mobile app security and pen testing different? Why causes teams to neglect mobile app security testing? What makes apps vulnerable and exposed to risks?

A: Leaky mobile apps transmit or store sensitive user or company information in an insecure manner. Intentionally or not, even legitimate apps can collect and transmit location, device identifiers, personal contacts, and more. Attackers could use sensitive data leaked by a mobile banking app for example to defraud a bank and their customers. Or, an app might surreptitiously transmit GPS data about an executive while traveling overseas. Or, an app used for communication among staff may not secure the contents of sensitive conversations.

nowsecure issue summary dashboard on laptop

The NowSecure Intelligence feed identifies any issues and assigns them a status

Mobile app penetration testing is a sort of role-playing activity. You poke and prod an app for weaknesses that might allow an attacker to compromise the app and gather sensitive data that they can monetize or use for a more targeted attack on a user. The NowSecure Platform includes mobile app penetration testing software as well as our expert team of mobile app security penetration testers that can perform that testing on behalf of a client.

As mentioned in detail above, so many enterprises and people are developing so many apps so quickly that it’s tough to keep up with the demand. That’s why we built the NowSecure Platform to allow security analysts to test 8x faster and be 10x more productive. In addition, many enterprises are relying on legacy technology built for web applications that simply do not provide coverage for the entire mobile app attack surface. That’s why we provide 3X the coverage with static, dynamic, and behavioral testing of both Android and iOS apps on real devices rather than emulators.

Q: What are the top mobile app security issues? How can data-sensitive companies and entities assure their clients that their data are secured?

A: The top mobile app security issues for enterprises include security vulnerabilities, privacy issues, and compliance gaps. Security issues include weak authentication, unsecured data at rest or in-motion, man-in-the-middle vulnerabilities, and more. Privacy issues consist of personal data leakage, inappropriate access to a device’s camera or microphone, over-reaching permissions (why does a flashlight app need access to your contacts?), and other related items. Compliance gaps occur when a mobile app violates industry standards such as the OWASP Mobile Top 10 or regulatory standards such as the FFIEC’s guidance for mobile financial services.

Really, the only way to know that a mobile app is secure and takes proper steps to protect data in motion and at rest is to have an expert use effective tools to look at and attempt to compromise an app as an attacker might. Unless you’re observing and interacting with that app and have empirical evidence about how it behaves, you can’t really guarantee that it’s secure.

Q: What are other projects that you are working on? What does the future hold for NowSecure?

A: This fall we’re launching the NowSecure Intelligence product. The Apple App Store and Google Play store do some basic evaluation of mobile apps before they’re published, but security-conscious enterprises require more scrutiny. NowSecure Intelligence continuously monitors the security status of third-party mobile apps published on the Apple App Store and the Google Play store. By providing insight into the risk of third-party apps used by employees, NowSecure Intelligence truly completes the NowSecure Platform. In addition to the product launch, we have a host of new features, tests, and more coming for the rest of the products in our portfolio that we will announce in the coming year. And of course, you’ll find us at local meetups, OWASP events, RSA Conference, Blackhat USA and other industry events.

About NowSecure

Founded in 2009, NowSecure is a mobile security company focused on helping deliver mobile application security through their solutions that include custom app analysis, 3rd party app vetting, and deep dive pen testing. The company is driven by their mission to deliver maximum customer value through the speed, accuracy, and efficiency of their platform. Most recently, NowSecure and its open source projects were featured in Gartner’s 2017 Market Guide for Mobile Application Security Testing.