Fortifying Mobile Applications

Subho Halder, Co-founder and CTO of Appknox discusses the transforming landscape of mobile application security

Elaborate about your focus on mobile application security.

Appknox is primarily focused on mobile application security. We are also rated as one of the leaders in the Gartner quadrant for application security. We work with a lot of enterprises, specifically banking, and government services, to make sure that their applications are secure. One of the major differentiators is that we do not need the source code of the application for our work but rather do the binary code analysis of the application. And that’s how we figure out the security issues.

What are Super Apps and what are the security challenges they could bring up?

Super App is a concept that essentially means a single app serving almost every need of the user. For example, a Bank application may have e-commerce options also embedded inside them. It can have an application to pay bills, one perform other transactions or services and all of this is offered via a single app apart from the core services. In terms of security, this increases the threat surface area. For instance, let’s say you are a payment aggregator and are aggregating other commerce apps inside. The attack surface increases because the attack surface is no longer limited to your core offering. The vulnerability can also be inside those super apps. It becomes a little bit tricky for developers and for companies and organizations to coordinate and fix such vulnerabilities. It becomes a problem in terms of whose responsibility it is to fix it.

We must understand the key difference in security between websites and mobile applications. With websites, if you identify a security vulnerability, you can just fix it. With an application that gets downloaded from mobile play stores on phones, you must apply a patch on the application uploaded in the store in case of a bug. But it is not in your hands to ensure users update the application on their phones.

With Super Apps, even if we find a vulnerability, it becomes a little bit complex, to fix responsibility. Shared responsibility is one of the problems and even if the vulnerabilities get fixed, how can one ship out those fixes and make them accessible to customers? It must be either via an update or upgrade, and that becomes a challenge. And if we look at Super apps, the applications that are inside those super apps may not be any different than if you were to download a standalone e-commerce app. However, with a super App, you could save some space on your mobile. But whether the concept of Super APPs working or not is debatable as it is still in the beta phase.

The ecosystem supports you to build a Super Apps, but it is about the processes, the implementations, governance etc. While the ecosystem already exists through APIs, SDKs, plugins, etc., the processes, governance, privacy, etc needs to be fixed.

How does your solution test application security?

Appknox is mostly an automated platform solution. The faster you figure out an issue, the cheaper it is for you to solve the issue. We believe in the Shift Left concept and our automated solution can discover any issue before manual penetration can. Our automated solution offers you DevStack ops integration and App Store monitoring. We monitor the Play Store and the App Store for vulnerabilities in the Apps that have been published. When we diagnose a new vulnerability and if those apps are affected, our solutions can get the apps down, immediately fix them, and then push them back into the app store. That’s one of the solutions we have.

We also have a solution called SBOM based on the software bill of materials that lists all components used to build the application. An app is not just a piece of code but a combination of code to components, plugins, SDKs, and analytics. SBOM provides visibility into the components used, helping identify vulnerabilities and deliver proactive threat mitigation. For instance, in a Super APP, the e-commerce component may not be something the super app provider has developed. They might have taken an SDK from an e-commerce retail platform. In such cases, somebody needs to understand or know when an update is available in the SDK library and if a new vulnerability has been fixed with a new version. This is what SBOM does and also for the first time in the world, it does this via the binary code analysis and not through the source code. Binary data statistical analysis may examine third-party libraries included in mobile application SDKs, providing a deeper knowledge of how apps interact with libraries for various objectives. This is how we help Super Apps stay secure.

How do you view the current threat scenario?

The threat scenario for mobile applications has significantly evolved driven by increased penetration of mobile devices and applications. Alongside, the Mobile application security market is seeing significant growth, as an outcome of this growth in threats. Appknox is a ten-year-old company and ten years ago when we started, we were seeing the advent of mobile apps but now it is the era of Super Apps.

The difference with these Super Apps is that they hold a lot of your personal information and data from logins to passwords. The mobile as a device is a lot more personal compared to even the laptop and more precious because of the personal data it holds. So, ensuring the security of the apps that hold your trusted information from biometric credentials to financial is paramount.

Which industries could face the most threats?

The heavily regulated industries, Banks, and the entire BFSI industry face significant threats. That is why they must secure themselves and their mobile applications.

Discuss your focus in the region
We cover the whole GCC region and have a good presence here. We work with many banks and count a lot of government entities, and entities from regulated industries among our customers. In addition to a cloud offering, we provide an on-premises solution preferred by the regulated industries because they are concerned about data sovereignty. And we offer that flexibility of deployment to our customers.

How big is the team at Appknox? Discuss the focus on R&D

We have over 65 employees and in R&D we have 15. R&D is a huge focus. Since we don’t work on source code but rather on binary code analysis, that requires a lot of research and development efforts. We also release a lot of white papers, contributing to the industry’s growth. We contribute to open-source help researchers and offer tools in mobile application security. For us, it’s not only about business but also about contributing to the community and industry. This is something that makes me proud.

What are some of the new areas of focus?

We are now focusing on utilizing AI to detect cloned Applications or phishing applications on the internet. If you are an Android user, you should be aware that there could be so many app stores or Android App releases that are not official versions. Yet people try to download those applications, that are not from real developers, but possibly by criminals. We are trying to help organizations whose Apps may be cloned by cyber criminals to bring them down from the App stores or anywhere on the internet with the help of AI.

Can you elaborate on the growth in demand for mobile application security?

Right now, the market is mature. Customers are looking for mobile app security vendors. This was not so even five years ago. The market demand then was primarily for web app security and API scans. The market was not ready, and we were there to educate the market then.  I participated in many conferences to tell them about the difference between web security and mobile app security and inform them how we specialize in mobile application security. The market has grown since then and RFPs are coming up because organizations want to fix their mobile app security. Breaches are happening via mobile applications and APIs interacted with by mobile applications. The market understands this growing threat and customers are reaching out to companies such as ours.

How has the growth been?

We are seeing around 70 % year-on-year growth. Since the lockdown days, the growth has taken off as people became more digital in their interactions and transactions. Banks have also gone increasingly digital and that too has driven the growth.