Mobile apps arguably have the greatest number of security flaws of any enterprise system – and no one seems to know much about them. Mobile app security flaws are numerous across all types of business apps. But why?
Perhaps it’s the mentality that “it’s just an app” or the reality that many business owners, especially those in smaller businesses who might not have advanced security, fall for the marketing hype of “we’ve got to have a mobile app,” without including security in the discussion. Mobile apps are as complex as ever, yet the security flaws are very predictable – and the bad guys know it.
Recent examples of the technical security flaws in mobile apps I’ve found include:
Vulnerabilities such as these can quickly create business risks, not to mention compliance gaps for PCI DSS, HIPAA and so on.
What does it take to find and eliminate these security flaws or, better yet, avoid them altogether? These things are largely dependent on acknowledging the challenges in the first place. Mobile apps need to be part of your information risk management program which means that they need to be tested ideally during the SDLC or, worst-case, during ongoing security assessments or after any code or application environment changes are made. You need to look at your mobile apps from the perspectives of penetration testing, forensics, and source code analysis because they’re all going to uncover different things.
I’m also a big proponent of using resources from outside parties – especially when they’re free. Good examples include the following:
Mobile apps not only present great business opportunities but also opportunities for ill-gotten gains. Even if they are seemingly benign marketing or field apps that process and store nothing of value, they can serve as an entry point or steppingstone into a bigger environment that can be used against you and your business. You wouldn’t let that happen with web applications – mobile apps should be no different.
Dig deeper into the current State of Mobile Application Security in our latest research here!
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.