With news of mobile application hacks from all over the globe being the talk of the town, companies are now changing the way they look at cyber security and in particular mobile app security. In this article, we'll tell you what you need to know about mobile app security testing and the different mobile app security testing vendors you can approach to help keep your business secure.
Gartner earlier in 2015 stated that 75% mobile applications will fail basic security testing. It was no surprise that Gartner was more than right and it was evident with the results that were showing, even with an internal study that Appknox conducted with 500 E-commerce companies globally.
Appknox study revealed that 95% of the top global E-commerce apps fail basic security testing.
In similar regards, Gartner released another statement saying that, by the year 2020, up to 90% of enterprises will test their mobile application for security vulnerabilities. It’s no surprise that businesses are bumping up mobile app security to the top of their strategy because of the new channels of exploitation mobile brings to the cyber security world.
Gartner recently conducted an in-depth study of the mobile application testing environment and released the list of top mobile app security testing vendors in the industry. Before we move on to telling you more about the vendors and the key findings from this study, Here’s the essentials for what businesses need to do in order to fully master the mobile testing process and secure their business from one end to the other.
Many companies still rely on manual penetration testing in order to fully secure apps. While we believe that no system can surpass the human mind, we also firmly believe that mobile security automation can help reduce efforts of security teams (ethical hackers) significantly, by nearly 75%. There are many companies that have challenged the human mind and come up with great solutions to automating mobile security testing. However, here’s how Appknox, one of Gartner's top listed mobile app security testing vendors, has broken through security barriers to ensure complete security of its clients.
Appknox uses a system plus human approach to ensure that every possible loophole in mobile applications are plugged before launching in stores or helps identify vulnerabilities even after the apps are launched.
Appknox’s automated mobile security solution covers more than 80+ test cases which include test cases from industry security compliance checks like OWASP TOP 10, HIPAA, PCI-DSS and more. Appknox uses a 3 stage scan that detects and helps neutralize threats.
Here’s how the scanning works:
1. SAST (Static Application Security Testing) - This solution statically analyzes the source, binary or bytecode of an application to identify vulnerabilities. This technique is very similar to the SAST performed on more traditional applications, such as web apps, and is performed at the programming and/or testing phases of the software development lifecycle (SDLC). SAST can analyze the code of the portion of the app residing on the device, as well on the server side. Appknox has over 40 test cases that check for basic configuration issues with the static scan.
2. DAST (Dynamic Application Security Testing) - These solutions also use dynamic analysis to test the app in its runtime state. DAST simulates attacks against an application and analyzes the application's reactions, determining whether it is vulnerable. DAST is typically performed in the testing, the preproduction and sometimes the production phases. Traditional DAST is designed to test the server-side of an application, but not the code of the app residing on the mobile device, which is typically addressed by static analysis. Appknox’s dynamic testing is conducted by running the app on a mobile device emulator, simulator or an actual mobile device.
3. MAST (Manual Application Security Testing) - Mobile AST solutions use behavioral analysis to observe the behavior of the app during runtime and identify actions that could be exploited by an attacker. Behavioral testing at Appknox is simply conducted by some of the top ethical hackers in the industry to identify business logic issues that may have been otherwise missed by the system scan.
Apart from using these test cases to identify commonly exploited threats, Appknox has some of the best industry renowned ethical hackers which dive down deeper to ensure that no vulnerability is left unchecked.
Some of the notable loopholes our security researchers detected were:
1. We bought food for Rupee 1 from the top food aggregator apps in India.
2. We identified a security vulnerability on request from one of the largest taxi aggregators in India to save them from a huge PR disaster.
3. We identified loopholes in certain banks that let us obtain transaction and personal details of any customers with just the account number.
4. We were able to bypass OTP for many applications which let us overtake accounts completely.
5. And much more….
The following vulnerabilities mentioned is only the cherry on the whole cake, there’s a whole array of potential threats we’ve discovered that can be misused to completely destroy not just businesses but also private information of individuals as well.
With that being said, here’s the list of Key findings from this Gartner’s study about the mobile security ecosystem and the top mobile app security testing vendors:
1. Mobile application security testing (AST) is a growing market and technology space that is bound to merge with the broader AST market as the technologies mature, and as the evolution of mobile platforms slows down as they converge with PC platforms.
2. Mobile AST leverages the static application security testing (SAST) and dynamic application security testing (DAST) techniques used in the broader AST space, but these techniques are adapted to mobile platforms.
3. The main innovation brought with mobile AST, compared to broader AST, is the introduction of behavioral analysis as a complement to DAST and SAST.
4. The use cases and enterprise needs for mobile AST are often different from the ones for the broader AST market in terms of speed and agility of development and the budget allocated.
Mobile applications are growing, and security testing has been following this trend. In a recent Gartner survey, 53% of respondents suggested that they already have mobile apps in their enterprise, while 40% stated they have plans to deploy mobile apps in the future.
The landscape is composed of a multitude of new, small vendors with dedicated and innovative solutions, and many well-known AST vendors that have expanded their solutions to address mobile use cases. The evolution of the market will inevitably see smaller mobile vendors merge with larger vendors, but so far there has been little consolidation activity, with only a few acquisitions and partnerships taking place. The market adoption for the primary use case of mobile AST on in-house-developed apps is growing, even though it is still only a fragment of the AST market.
Gartner’s List of Top Mobile App Security Testing Vendors
Gartner has identified many mobile app security testing vendors that have built innovative solutions to combat the challenges of the mobile application ecosystem. Amongst the top (to name a few ) are:
- Varutra Consulting
- Hewlett Packard Enterprise (HPE)
- Data Theorem, and others.
You can use THIS LINK to download the detailed report consisting of other mobile app security testing vendors that have been listed by Gartner.
If you would like to learn more about Appknox, and how we can help secure your mobile app business, feel free to request a demo and we'd love to run you through what our automated plus manual solution can do to ensure total mobile security.