Hardening Mobile Apps

My favorite software book of all time is The Mythical Man-Month by Fred Brooks. It’s a wonderful little classic, whose primary message is still so right-on-the-money. Brooks is the guy, for example, who shared the following: “Adding manpower to a late project makes it later.” That terse statement might be the most profound advice ever uttered on the correct management of software projects. And Brooks said it nearly forty years ago.

My guess is that – if written today – that iconic book would have to be titled The Mythical Man-Minute. Today’s software ecosystem moves so fast that it literally brags processes that invoke sprinting. New features, we are told, must be developed quickly enough to satisfy the voracious appetite of users. And this phenomenon of going faster, faster, faster is at its most intense in the creation of mobile apps, regardless of the domain.  

I was thinking about cyber security in the context of mobile app software development this past week while talking with the expert principals of NowSecure. Founded a decade ago by mobile security expert Andrew Hoog, the Chicago-based company provides a platform for testing the security of mobile app software and supporting services. And yes, the NowSecure team understands the requirement to support high velocity in this important discipline.

“In addition to dealing with the speed of mobile app development,” said Hoog, “our security test platform also focuses on accuracy and efficiency. We know that to provide mobile app security testing in the modern SDLC, we must address our customers’ mission objectives. And this is true for all aspects of the ecosystem, including third-party and business-critical apps.” Hoog took me through the elements of the platform. Here’s what I learned:

The NowSecure solution is an automated mobile app security test suite available on-demand or plugged into the software process. Users can access the platform via the cloud, via integrations into their dev toolchain, or through a pre-configured workstation that supports vulnerability management. Domain support covers all aspects of mobile app software security and privacy, including security testing for complex IoT, 2FA, and device touch.

The platform supports the mobile app penetration tester with focus on consistent, repeatable probing. NowSecure offers hands-free automation, auto-generation of test reports, and professional consultation when needed “As a company, we support and leverage many open source tools such as Frida, Radare, and Capstone in our solution,” Hoog explained. “This aspect of our design is important to the white hat test community we support.”

The strategies used start with familiar static tests to highlight path traversal, bad authentication, and the usual sorts of problems identifiable from code perusal. The tool also includes dynamic analysis to detect world-writeable files, weird use of RAM storage, and so on. Finally, the tool employs behavioral analytics to find man-in-the-middle issues, unprotected TLS, and so on. The result is extensive security checking for your mobile app.

An advantage NowSecure offers is improved visibility into the security risks of mobile apps in Apple AppStore and Google Play. Poor visibility into third-party apps might be one of the greatest mistakes in modern enterprise security. That is, controls are often put in place across the enterprise for everything imaginable, and then apps are downloaded from public stores with no understanding of the security consequences. NowSecure helps in that area.

Let me digress to say that as an analyst, I cannot resist injecting my opinion into technical and market discussions with any security technology company (and I also cannot resist including such subjective commentary in articles like this). So, with NowSecure, my view is that their technical ability to slide into the mobile app software process should enable much more types of software analyses beyond just the goal of improving cyber security.

Perhaps as the company continues to grow – the team is currently approaching sixty staff – they will expand their security analysis of mobile apps to address issues with privacy, performance, resource utilization, power consumption, and the like. These are all essential properties for successful enterprise mobile apps, and my view is that NowSecure looks well-positioned to expand into these adjacent areas. I guess we’ll have to wait and see.

If you are a mobile-first organization, or if you use or develop mobile app software to support your business (and I guess this includes everyone), then I think it would be a fine idea to learn more about the NowSecure offering. Security controls for mobility will increase in their intensity at both the security and compliance levels, so whether you decide to do this or not will soon be a moot point: Eventually you will have no choice.

So, give the folks at NowSecure a call – and as usual, please share what you’ve learned.