Setting benchmarks in Mobile Application Security

Harshit Agarwal, Co-Founder & CEO at Appknox discusses the company’s range of mobile application testing solutions and it’s focus on the MEA region

 Can you elaborate on the spectrum of application testing services that your organization offers?

At Appknox, we provide vulnerability assessment, penetration testing, store monitoring/drift detection as well as visibility into Software Bill of Materials.

Through vulnerability assessment, we help define, identify, classify, and prioritize vulnerabilities in applications. Vulnerability assessment involves an in-depth evaluation of a security posture and recommends appropriate remediation to remove security risks. It is a list-oriented approach that has the following testing methods that we use.

• Static Application Security Testing (SAST) – A fully automated security test that checks for basic configuration issues in code and the application.
• Dynamic Application Security Testing (DAST) – A deeper dive into the app’s transport layer that checks for loopholes in communication between the application and the server.
• Application Program Interface Testing (APIT) – Complete server-side testing for all mobile app components.

Under Penetration testing, we offer in-depth testing that detects security issues without aiming to damage the infrastructure. Penetration Testing simulates a real-life attack, more like a real hacker approach to uncover security loopholes, and is a goal-based approach.

Store Monitoring / Drift Detection helps in the complete identification of the latest version of the mobile app from the app store along with real-time notification for unscanned versions on the app store. Finally, we also help gain visibility into all the components with binary-based SBOM to discover all components used in mobile apps and uncover attack surfaces for open-source and third-party components.

How important is it to ensure testing so that the mobile applications run smoothly in different environments? How has Appknox helped enhance testing?

Ensuring thorough testing for mobile applications across diverse environments is crucial. The seamless functionality of an app depends on its ability to perform reliably across various devices and operating systems. Rigorous testing not only guarantees optimal user experience but also identifies and rectifies potential issues before deployment. Today, users access applications on different devices and platforms making meticulous testing non-negotiable for sustained success and user satisfaction.

To aid this, Appknox has recently introduced automated DAST that is triggered without human interaction and triggers all functionalities across the application which makes the vulnerability assessment process comprehensive without leaving out untested functionality because of human error or miss. It also discovers and analyzes emerging security threats and vulnerabilities by automating security scans on real devices with realistic attack scenarios for accurate identification as opposed to simulators.

What are the various aspects that your solutions check for during the testing process?

Our testing services are comprehensive and cover all aspects of application security such as detailed below:

Vulnerability scanning

Appknox scans for potential vulnerabilities in the app’s code and configuration, identifying weaknesses that could be exploited by attackers.

Supply Chain

In the software supply chain, Appknox secures mobile applications by rigorously checking the Software Bill of Materials (SBOM) and verifying component integrity and origins, addressing vulnerabilities, and ensuring transparency for developers, contributing to a secure software supply chain.

Data encryption

Appknox verifies that sensitive data within the app is properly encrypted, safeguarding user information from unauthorized access.

Authentication mechanisms

The solution assesses the strength of the app’s authentication methods, ensuring that only authorized users can access sensitive features and data.

 APIs

The solution identifies all APIs in applications, ensuring exhaustive API security coverage.

Code obfuscation

The solution assesses whether the app’s code is adequately obfuscated to deter reverse engineering attempts, enhancing the overall security posture.

Compliance checks

Appknox verifies if the app complies with industry-specific security standards and regulations, ensuring adherence to best practices and legal requirements.

User permission controls

The solution assesses how the app handles user permissions, preventing unauthorized access to device functionalities and protecting user privacy.

What are the risks involved if the applications aren’t properly tested before being rolled out?

There are multiple risks if applications are rolled out without proper testing. The following scenarios show how Appknox helps in identifying vulnerabilities and enhances the security posture

Security vulnerabilities

With thorough testing, security flaws may be protected, exposing the application to potential breaches and unauthorized access. Appknox ensures that security vulnerabilities are identified and addressed to safeguard user data and privacy.

Data breaches

Inadequate testing increases the likelihood of data breaches, compromising sensitive user information. Appknox helps prevent such breaches by rigorously examining the app’s security measures, including encryption and data handling practices.

Malicious exploitation

Untested applications are susceptible to exploitation by malicious actors who can exploit vulnerabilities for various purposes, such as injecting malware or conducting unauthorized activities. Appknox helps in identifying and mitigating such risks through comprehensive security assessments.

Poor user experience

Functional issues and bugs that remain undetected can result in a subpar user experience. Appknox testing ensures the application functions smoothly across different environments, enhancing user satisfaction and minimizing the risk of negative reviews or uninstallations.

Reputation damage

Security breaches and poor app performance can lead to a damaged reputation for both the app and its developers. Appknox helps maintain a positive image by proactively addressing security concerns and ensuring a reliable user experience.

Non-compliance with regulations

Failure to test adequately may lead to non-compliance with industry regulations and data protection laws. Appknox assists in identifying and rectifying compliance issues for compliance as OWASP Top 10 2023, reducing legal and regulatory risks associated with improper app security practices.

What is the opportunity that you see for your solution in the Middle East?

The Middle East sees a rising trend in app usage across sectors, creating an opportunity for solutions like Appknox to enhance security against evolving cyber threats. The ongoing digital transformation initiatives in the Middle East increase the demand for secure mobile applications, positioning Appknox as a key player. With a growing awareness of cybersecurity threats, businesses in the Middle East seek solutions like Appknox for advanced security testing to protect their digital assets. Finally, strengthening data protection regulations in the Middle East creates an opportunity for Appknox to assist mobile app developers and businesses in ensuring compliance through security testing.

At Appknox, we scanned the top 50 shopping applications across Saudi Arabia and the results are shocking with over 80% of applications at high risk. Here’s a free report that custodians of security in the Middle East might find helpful.

What solutions were showcased at Black Hat?

Appknox’s comprehensive app security helps security teams make their apps completely secure. At Black Hat, we were happy to present our solutions that enable organizations as an extended security team.

SAST – One-click static application security testing fully automated SAST performed in minutes to improve the time-to-market for a secure mobile application

Automated DAST – Assess the security of your mobile application while it is running in its operational environment on real devices

API – Mobile Specific API security assessment for mobile applications

Store monitoring – Identify, the latest version of the mobile app from the App Store and get real-time notifications for unscanned versions on the App Store

Software Bill of Materials (SBOM) – Gain visibility into all the components with Binary based SBOM

Discuss your partnership with Bulwark.

Appknox’s global reach ambition was the decision taken looking at the demand for a product like Appknox in the market. And the market responded to it. that’s the reason within 9 years Appknox is catering to 500+ Enterprises globally.

With Bulwark, Appknox found a partner who has the same mindset of making the Digital world more secure and sound for its users.

Together we aim to provide cutting-edge security solutions tailored to the unique challenges of the GCC market. We are committed to empowering businesses with robust mobile security measures, ensuring a safer digital landscape for organizations across the region.