Using a Top 50 mobile app from your favorite App Store? Chances are it contains a critical vulnerability.
As per research to be released soon by the Brian Reed and his team at NowSecure, 10-15% of the top 50 apps in any category in your favorite mobile App Store have one or more critical vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 or higher. And we’re talking production apps from Fortune 500 companies here folks.
How is this possible?
According to Reed, a few things stand out:
- There has been an increase in the use of 3rd-party libraries; this is coupled with an increase in the number of vulnerabilities in these libraries.
- Companies are NOT updating and re-submitting their applications that use these libraries, even though the patches exist.
- The above assumes that the company is aware of the vulnerabilities; many code-based assessment tools delivered through SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) models can’t get at the behavioral aspects uncovered via a binary assessment.
When app developers work with NowSecure, they get the benefit of having a solution that leverages the mindset of an attacker. The behavioral-based assessment of the binary performed by NowSecure not only looks for vulnerabilities in the reverse-engineered source code, but also in how the application functions at runtime — which can present itself uniquely on different flavors and different versions of the mobile OS.
As Reed explains, his clients can now hire creative people to use the tools available to them from NowSecure, enabling their analysts to tackle harder problems and their developers to focus on building better applications with automated testing that takes care of the security assessment part of their DevSecOps lifecycle.
For more updates from Black Hat Conference 2018, visit: