You’ve probably read about serious vulnerability in the popular OpenSSL cryptographic software library – a.k.a. Heartbleed Bug. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. As long as the vulnerable version of OpenSSL is in use it can be abused.
Earlier last year, we announced a Testdroid product integration with Codenomicon’s – the team that actually found this bug – Appcheck that allows scanning the mobile app and listing all known vulnerabilities in it.
Testdroid + Appcheck = Available for App Devs
Testdroid Cloud and Testdroid Enterprise provide an integration with Codenomicon security test suite – APPCHECK – that scans applications and lists the known vulnerabilities and software licenses associated with the contained code and libraries. This security test feature uncovers third party code and libraries, both open source and proprietary, and enumerates the CVE (Common Vulnerability and Exposure) identifiers, as well as associated software licenses. User just needs to upload an apk or ipa file to find out what’s inside, and no source code is required. Get the information you need in just a minute.
Identifying third-party code, its vulnerabilities and its licenses, is critical to understand your security exposure and your liability. Testdroid’s security and vulnerability service uses Codenomicon’s patent-pending binary scanning technology to provides following key functions:
- Identifying third-party software packages and third-party libraries
- Identify binding software licenses for third-party code in the scanned application
- Identify vulnerabilities in third-party components that could be security risks in your application.
- Easy-to-use interface: just press a button to upload your binary and results are delivered in minute.
Who will find this service extremely useful?
The one great example is the mission- and safety-critical applications, such as mobile banking and payment applications. Mobile banking and the usage of mobile to carry out financial transactions have become prominent around the world. With the proliferation of mobile devices (and bank apps) globally, millions of end-users are keen to have financial data available at their fingertips using their smart devices. Banks and financial service companies are faced with new challenges to address on how to build secure applications for their customers. This integration is a giant leap to ensure app runs fine one whole array of different devices.
The second great example is the video streaming and media service applications. As data is critical to users, malicious software (or people) can exploit user’s data. Any security and vulnerabilities in video streaming can cause severe issues for people using these applications. As application updates through Google Play get automatically pushed out, it is also very important to make sure those apps work well on all Android devices.
Finally, any mobile app/game developer dealing with open source components – and embedding those in their apps – should take a look at this service. It will provide an excellent information about those components, plus information about potential vulnerabilities in those applications targeted for end-users.
Security Checklist for Mobile App Developer
Here are some things to check while developing your app and definitely before publishing your app at app stores:
- Be very proactive in the context of robustness and security testing! More you test for security the better will be your app for users. And this is not manual process you need to go through. More about this here.
- Get familiar with all used third-party software packages and libraries. You should have a good overview and understanding of how those third-party components work, what security threats come with those, and how those threats will impact on users of your application.
- What are the binding software licenses in third-party code. At the end of the day, it is your responsibility as a developer to ensure you can ship third-party code as a part of your app and how it might impact on your application. In some cases, you would need to expose your code base and that is probably not something devs like to do.
- Real vulnerabilities in third-party components that could be security risks in your application. Hackers are good at finding vulnerabilities and they can put significant effort in to expose security flaws in your app. When building your mobile app, think like a hacker – in controlled manner – and make sure there is no vulnerabilities in your app!
- Remember! Many of those open source and third-party components evolve, constantly. You should be fully aware of what are the new vulnerabilities, and threats brought in with the updated version of those open source components. When you develop your app it is important to stay up-to-date with this type of information!
Appcheck can be purchased here.
Learn how to properly adopt DevOps approach for your mobile team and get the most out of it.Download