AI-Enabled Mobile Vulnerability Detection and Remediation

It is my great pleasure to welcome ImmuniWeb as our first MobileTRUST Alliance partner.  We’re excited about the MobileTRUST Alliance and the power it provides customers to instantly remediate mobile app vulnerabilities.  You can read the details of the MobileTRUST Alliance here. 

One of the very first steps in any organization’s app security lifecycle is to understand where and how your apps are exposed (or at least it should be). And that’s exactly what ImmuniWeb brings to the table as a co-founding member of the alliance. ImmuniWeb has demystified mobile app vulnerability and threat scanning, providing a powerful tool that anybody can use to quickly discover vulnerabilities in mobile apps. ImmuniWeb uses Artificial Intelligence in its mobile scanning tool, enabling customers to scan apps quickly and easily to find and categorize all vulnerabilities by severity, source, with both summary and detailed reports. They offer a community version of their mobile scanning tool that’s freely accessible, fully automated, and doesn’t require source code. This gives customers the ability to quickly identify, categorize, and validate vulnerabilities in any mobile app.

Mobile Security’s Million Dollar Question:  “So Now What?”

But the story does not end there. Mobile developers still need to fix the vulnerabilities found by ImmuniWeb’s scanning tool. Because implementing mobile app security has been largely manual, there are significant numbers of vulnerabilities that go unpatched. Most mobile security solutions require changes to the mobile app source code. That’s invariably a complex and time-consuming affair that requires specialized expertise which the mobile dev team likely doesn’t possess. In addition, adding mobile app security into the source code of an app does not fit within the modern continuous delivery (CI/CD) processes followed by mobile development teams, where daily or hourly builds are not uncommon. As a result, mobile app security often lags behind mobile app feature development, and that gap usually widens over time.

Appdome MobileTRUST: Turn Data into Action

Here’s where Appdome enters into the picture. Appdome helps ImmuniWeb and its customers answer the “So now what?” question. In other words, how do customers take all the great data provided by the ImmuniWeb scan results and do something about it? How do they go about fixing the security vulnerabilities (all in the context of expertise gaps, resource shortfalls, rapid release cycles, and skill-set mismatches – all part of the daily struggle for mobile dev teams).

We announced the MobileTRUST Alliance squarely to answer this question, no matter where you find the threat. Appdome’s no-code mobile security and solutions platform enables customers to deliver instant remediation for mobile app threats and vulnerabilities on the spot, without any coding dependencies. Appdome created a technology and solution to solve the human challenge of coding security to mobile apps, using automation (not manual coding) to build security into mobile apps quickly and easily.

As part of the MoibileTRUST Alliance, Appdome and ImmuniWeb have created a joint solution that enables customers to find mobile app security vulnerabilities rapidly, then fix them instantly all as part of a continuous workflow – And this works for every iOS and Android app on the planet, without requiring access to source code at any point in the process.

“ImmuniWeb and Appdome address a key pain point for mobile app developers, who are struggling to rapidly release new and updated apps that are also secure. The MobileTRUST Alliance’s goal is to make finding and fixing mobile app security vulnerabilities a simple and effective process, so developers can focus on what they do best: delivering compelling features to delight their customers.”

Ilia Kolochenko, CEO at ImmuniWeb

The way we see it, the ‘find’ and the ‘fix’ are 2 integral components of the same continuous process. Stated differently, ImmuniWeb is the ‘yin’ to Appdome’s ‘yang’, and together as part of the MobileTRUST Alliance, we enable customers to complete the mobile app security life cycle end-to-end with a closed-loop solution.  Ok, that’s enough theorizing, let me show you how this actually works by running a real app through the joint solution end-to-end.

Below is a “Before” and “After” comparison that illustrates the end-to-end process. I ran a large e-commerce provider’s mobile app through the ImmuniWeb scanner and found a bunch of vulnerabilities (ie: the ‘before). I then uploaded the vulnerable app to Appdome and implemented Appdome mobile app security to fix the vulnerabilities. Finally, I scanned the new Appdome-built app again, demonstrating that I was able to remediate the vulnerabilities. Below are the details. Again, this can be done for any iOS or Android app.

Find Vulnerabilities using ImmuniWeb

Customers upload any app binary (.apk or .ipa) to ImmuniWeb’s free Mobile scan tool, which leverages Artificial Intelligence to find and categorize threats in minutes via an automated process. ImmuniWeb automatically analyzes the app top to bottom, conducting a wide range of in-depth security scans to find vulnerabilities in the apps business logic as well as its internal and external communications paths, structural components, data handling and areas of exposure. It deeply inspects authentication methods and resources, encryption techniques, code injection and hygiene, data input methods and more.

Minutes later, ImmuniWeb automatically returns a summarized and categorized view of all vulnerabilities, along with drill-down capabilities and a PDF of the full report.

Below are the summary results after scanning a mobile e-commerce app using ImmuniWeb.

Use Appdome to Fix Vulnerabilities Instantly 

After finding vulnerabilities with ImmuniWeb, customers upload the vulnerable app to their Appdome account and select the relevant features from Appdome’s no-code Mobile App Security Suite to remediate the vulnerabilities in about a minute. When customers click Build My App, Appdome’s AI-enabled code generation and dynamic assembly engine automatically implements the chosen mobile app security features and delivers a new secure version of the app. 

Build My App Button | Appdome

Appdome works with any mobile app – no matter how the app is built. Implementing mobile app security on Appdome takes about 1 minute and does not require any development knowledge or security expertise.

Below are the ImmuniWeb scan results of the same e-commerce app after implementing Appdome’s Mobile App Security Suite and rescanning the app. The results speak for themselves.

In summary, by using both ImmuniWeb and Appdome, I was able to identify and solve 7 OWASP Mobile Top 10 vulnerabilities and over 150 coding deficiencies inside this mobile app in under 20 minutes without any development.

While I can’t provide the name of the app, I would be happy to share details on the specific Appdome security features I implemented to achieve the results above. That would enable you to validate the solution on your own. Feel free to drop me a line at alan@appdome.com!  We’d love to hear your feedback.