In a previous blog, Gil Hartman, our VP of Engineering, detailed how Appdome can help protect mobile apps against all OWASP Mobile Top 10 risks.
Last week, one of our partners in Latin America introduced me to the Free OWASP Mobile App Security Test from ImmuniWeb. What a great tool! They were using the tool to test the vulnerability of mobile apps on behalf of a customer, including the pre- and post- Appdome security features in the Appdome-built app.
The target app was from the Food & Drink category in Google Play. We have no affiliation with the ImmuniWeb product. This blog covers the results of this independent test of Appdome security.
OWASP Mobile App Security Results: Pre-Appdome
The user ran the ImmuniWeb OWASP Mobile App Security Test on the target app. When you run the ImmuniWeb test, you get a high-level result of the vulnerabilities and issues found by the tool. Behind each result, users can access a detailed report on all the issues the test found. In this case, the high-level result found issues in all 5 categories tested. Here is what the test found on the pre-Appdome (original) app:
The ImmuniWeb scan revealed multiple vulnerabilities in the target application, including 6 out of 10 of the OWASP Top 10 Mobile Threats, software vulnerabilities and more. Needless to say, the security posture of this mobile app could be improved greatly.
Building a Secure Version of the App
To build a fully secure version of the target mobile app, the user selected the relevant mobile app security features in the Appdome Mobile Security Suite. After that, the user clicked “Build My App” and the Appdome platform takes care of building security in the the new app.
Here are the mobile security features used to secure the app via Appdome. All features are available using Appdome today:
- TOTALData Encryption – Data-at-Rest and Data-in-Use Encryption; Encryption of in-app preferences, strings and resources; In-App Generated Seed; FIPS 140-2 Cryptography and AppCode Packer.
- TOTALCode Obfuscation – native and non-native code obfuscation and flow relocation
- OS Integrity – Root prevention, preventing the app from running on a device that allows unknown sources and developer options, prevent the app from running on an emulator
- Secure Communications – Trusted Session with MiTM attack prevention and Session Control to enforce TLS version, strong RSA signature, strong ECC signature, SHA256 Digest and Certificate Roles.
- ONEShield by Appdome – Anti-debugging, anti-tampering and anti-reversing as well as checksum validation, preventing from running on a simulator, and app integrity and structure scan.
Once these features are selected, the user clicked:
And 30 seconds later, Appdome produced a newly secured version of the target app.
The app is then signed. After that, the user ran the same OWASP test in ImmuniWeb, this time scanning the new version of the app with the mobile app security features from Appdome. The results were amazing!
OWASP Mobile App Security Results: Post-Appdome
The Immuniweb test takes about 25 minutes depending on your bandwidth. For me, it was 25 minutes of excited anticipation. Based on the mobile app security features chosen, all security vulnerabilities were solved! Appdome delivered instant remediation for otherwise vulnerable mobile apps in minutes. The test results are shown below:
Note 1: I selected “Prevent Emulators” so the app cannot run on x86 Emulators, hence the DAST message.
Note 2: The Appdome features to secure “Backend APIs and Web Services” were not chosen. See our no-code Appdome for F5 Anti-Bot for more info.
Appdome is Instant Remediation for Vulnerable Mobile Apps
That’s correct, Appdome’s AI code development platform built and solved over 20+ critical vulnerabilities in a mobile app in minutes. Comparing the pre- and post- Appdome results, the value of Appdome security features is clear:
- 6 OWASP issues vs ZERO issues in the Appdome-fused app
- Mobile app behavior issues that required attention vs ZERO issues in the Appdome-fused app
- 16 software composition issues vs ZERO issues in the Appdome-fused app
- 17 external communication issues vs ZERO issue in the Appdome-fused app
The ImmuniWeb detailed report gives mobile app developers a roadmap on what they need to do to fix the issues. However, no telling how long solving these security issues in a mobile app via manual development would take. In 30 seconds, a non-developer solved all the reported issues and moved all 4 areas in orange to either green and blue. That’s the power of Appdome!
Do You Have a Mobile Security Challenge?
Put your mobile app to the OWASP test and see the results for yourself. I would be super stoked if you would contacted me to share your results.
The team at Appdome would also be happy to help you solve your mobile security challenge. Don’t wait, start your free Appdome trial today.
I can guarantee you – you will see results fast.