You can't secure what you don't acknowledge.SM

Monday, December 5, 2016

Using NowSecure for automated mobile app testing

As an independent information security consultant, I'm always looking for good testing tools to rely on for my work. These tools, such as vulnerability scanners, network analyzers/proxies, and related manual analysis tools, are not the be-all-end-all answer for uncovering security weaknesses, but they are a very important aspect of what I do. Be it more generic vulnerability scans, a targeted penetration test, or a broader, more in-depth, security assessment, I simply don't have the time or brainpower to forgo using good tools.

In the interest of working smarter and not harder, there's a neat tool mobile app security testing automation from NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.

You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:

Additional information regarding the mobile app's functionality is provided including:
  • Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)   
  • Behavioral events of specific app methods that are run along with timestamps
  • URLs listed in the source code and files contained in the archive package
NowSecure provides an interesting and refreshing approach to security testing. I had someone contact me years ago asking if I had a way to automated the process of testing numerous mobile apps. I didn't and wish I would have - or at least wish NowSecure current platform would've been around then! Mobile app security testing is (still) a big and underserved market to say the least. This type of tool can help take some pain out of the mobile app security assessment process.  Some people out there may be good enough to do manual testing of every computer, web application, and mobile app that's thrown their way. However, odds are these folks are not getting a lot done or providing much value to their employers, customers, or even themselves.

There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.