Vetting Mobile Apps for Corporate Use: Security Essentials

Vetting mobile apps for corporate use:
Security essentials

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5
Weekly mobile security news update
SUBSCRIBE NOW:
www.nowsecure.com/go/subscribe

Katie Strzempka
VP Customer Success & Services | NowSecure

Contents
● What’s the problem? Reasons for mobile app vetting
● How should enterprises approach mobile app vetting?
● Summary and next steps
● Questions

Why vet mobile apps?

Have you had a data breach due to an insecure mobile app?
Almost half of IT security
professionals reported:
● Likely,
● Most likely,
● Or certainly have
https://www.arxan.com/wp-content/uploads/2017/01/2017_Security_IoT_Mobile_Study.pdf
Ponemon Institute 2017 Study on Mobile and IoT Application Security

Apps available for download a/o March 2017
2.2
Million
Apple App Store
2.8
Million
Google Play
https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/

How might third-party apps leave you exposed?
Local storage of sensitive data
No (or weak) encryption
Improper certificate validation
Configuration manipulation Dynamic runtime injection
Unintended permissions
Escalated permissions
Vulnerable/insecure third-party libraries, components, and server connections might also put you at risk

We identified at least
one high risk security
or privacy flaw in
25 percent of mobile apps
https://www.nowsecure.com/ebooks/2016-nowsecure-mobile-security-report/
Mobile apps are vulnerable
25%
NowSecure Mobile Security Study

Most apps are not tested for vulnerabilities
On average, 70 percent
of mobile apps are not
tested for vulnerabilities
Ponemon Institute 2017 Study on Mobile and IoT Application Security
https://www.arxan.com/wp-content/uploads/2017/01/2017_Security_IoT_Mobile_Study.pdf
70%

The third-party mobile app security problem extrapolated
The Apple App Store The Google Play Store
Untested Apps Vulnerable Apps
550
Thousand
1.5
Million
Untested Apps Vulnerable Apps
700
Thousand
1.9
Million

What is mobile app vetting?

© Copyright 2017NowSecure, Inc. All Rights Reserved. Proprietary information.
Definition from NIST
The essentials:
● Develop mobile app security requirements
● Assess apps against those requirements
● Approve or reject apps based on results
National Institute of Standards and Technology
App vetting process:
A sequence of activities that
aims to determine if an app
conforms to an organization’s
security requirements
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf

Security teams can’t keep up
without automation
● New App Store submissions in Dec. 2016
○ 59K apps
○ 25K games
● 140B apps downloaded a/o Sep. 2016
● Too many new apps and subsequent updates
● Automation is necessary to get any visibility
New apps/games submitted to
App Store 2012 - 2016 - Statista
Apps downloaded (cumulative) from
App Store 2008 - 2016 - Statista
https://www.statista.com/statistics/263794/number-of-downloads-from-the-apple-app-store/
https://www.statista.com/statistics/263794/number-of-downloads-from-the-apple-app-store/

How to do mobile app vetting:
Keeping watch over risk

Minimum mobile app security requirements should cover
Data storage Data transmission Authentication
Authorization
Reverse-engineering/
Code analysis

Tools needed to assess apps against those requirements
✓ Tests/checks need to cover each of your requirements
○ Data storage
○ Data transmission
○ Authentication
✓ iOS and Android testing capabilities
✓ Automation capabilities (or you’ll drown in backlog)
○ New apps published every day
○ And subsequent updates
○ Authorization
○ Reverse engineering / code analysis

Example criteria for vetting mobile apps
Criteria
Weight
(examples)
Poor Strong
Data storage 25%
Sensitive data in log
files, app folder, etc.
Data encrypted or not
stored at all
Data transmission 40% No encryption (HTTP)
Encryption (HTTPS) and
certificate pinning
Authorization 10% More than necessary Only essential privileges
Authentication 15% None OAuth / PBKDF2
Reverse-engineering/Code analysis 10% Debugging enabled
Code obfuscation and
anti-tamper protection

Example: Corporate messaging app
Criteria
Weight
(examples)
Findings
Data storage 25%
Username stored locally;
nothing else
Data transmission 40%
Username, password
sent unencrypted
Authorization 10%
App only requests the
permissions it needs
Authentication 15% App requires login for each use
Reverse-engineering/Code analysis 10% No major issues identified

So an app has a security flaw, now what?
● Threat models are specific to the organization
● Answer questions about various threat scenarios
○ What assets are at risk?
○ Where/what are the entry points?
○ How easy is the vulnerability to exploit?
○ What could the impact be?
○ Etc.
● With a holistic view, you can decide whether you have the
appetite for accepting any particular mobile app risk
Model the threat
https://www.owasp.org/index.php/Application_Threat_Modeling

Two (of many) possible threat scenarios
Lost/stolen device Insecure WiFi
?
RELEVANT APP CRITERIA
Data storage
Authentication
RELEVANT APP CRITERIA
Data transmission
Authentication

Example of connecting a finding with threat scenarios
Lost/stolen device Insecure WiFi
?
ANALYSIS
Data storage ✓
Authentication ✓
ANALYSIS
Data transmission Ⓧ
Authentication ✓
Finding: Username, password sent unencrypted

Approving/rejecting an app
● Does the developer publish a disclosure policy / can you work with them?
○ Reach out and encourage them to remediate the issue
○ If possible, suspend use of the app until the issue is fixed
● Can you blacklist the app?
● If you can’t work with the developer or blacklist the app
○ Document known vulnerabilities in a risk register
■ Track and share with risk assessment teams
■ Review the risk register in the event of an incident
○ Provide “safe use” instructions for the app, for example:
■ Ensure the device runs the latest updates
■ Avoid using the app over public / unsecure WiFi

Mobile app vetting in action:
Customer case study

Customer case study: Monitoring app updates
Background
A large organization allows staff to use mobile apps but is aware of the
security risks.
Problem
Employees use a lot of the same apps, and updates to those apps can introduce security
risks. The security team needs visibility into the security posture of new versions.
Solution
The security team receives NowSecure security intelligence about new app versions as
they’re released including a security score and findings prioritized by risk.

How NowSecure can help
Monitoring third-party apps via automated
static and dynamic app security analysis
● Continuous third-party app monitoring
● Deep visibility into behaviors & security
● Reduce risk & ensure compliance
Timely, meticulous vulnerability and compliance data about third-party apps

Summary & next steps

Three key takeaways
1
2
3
Mobile apps increase risk
Don’t rely on app store vetting
Assess apps against YOUR requirements

Practical next steps
Next month:
Identify gaps in existing policies and inventory mobile apps currently in use
Next quarter:
Being evaluating tools and developing processes to vet mobile apps
Next six months:
Vet every single mobile app used within your organization

Let’s talk
NowSecure
+1 312.878.1100
@NowSecureMobile
www.nowsecure.com
Subscribe to #MobSec5
A digest of the week’s mobile security news that matters
https://www.nowsecure.com/go/subscribe

Vetting Mobile Apps for Corporate Use: Security Essentials

More Related Content

What's hot

Similar to Vetting Mobile Apps for Corporate Use: Security Essentials

More from NowSecure

Recently uploaded

Vetting Mobile Apps for Corporate Use: Security Essentials