Every year, OWASP releases reports on the top 10 most critical web and mobile application security risks, powerful awareness documents for application security that represent a broad consensus about the most critical security risks to apps. The OWASP community believes that “adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code”.
Here are some incredible statistics on the number of data breaches and the financial consequenses for organizations that suffer these breaches.
- Forbes reported that in the first 6 months of 2019, there were more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.
- Equifax will pay up to $700M over its data breach.
- British Airways faces $230M GDPR fines for its 2018 web and mobile data breach.
Luckily, the Appdome Mobile Security Suite can help any mobile developer protect their app against the OWASP Mobile Top 10 risks.
Appdome’s Mobile Security Suite offers no-code, on-demand advanced app protection in 5 distinct categories. Protection against the OWASP Mobile Top 10 risks can be added to any Android and iOS app, developed in any framework including Xamarin, React Native, Cordova, xCode and others. Developers and non-developers can bring any .ipa or .apk binary to Appdome. There, they select one or multiple features from the list below using a simple point-and-click UI, and click the big green Build My App button to add security to their Android or iOS app in seconds – no code or coding required!
Here’s how Appdome’s Mobile Security Suite protects mobile apps against the OWASP Mobile top 10 risks
M1 – Improper Platform Usage
Customers can leverage Appdome to address this requirement by building one or more features from Appdome’s Mobile Security Suite:
- TOTALData Encryption – Encrypt all mobile app data, in-app preferences, string and resources.
- OS Integrity – Detect when a device was Jailbroken/Rooted and prevent installation of Fused app.
- Secure Communication – Add Trusted Session Inspection, an advanced MiTM solution that also verifies the SSL connection to the Fused app.
- Privacy -Govern Copy/Paste protection, blur the application screen, Prevent keyloggers and add in-app pincode/FaceID/fingerprint to the Fused app.
- TOTALCode Obfuscation – Obfuscate all native and non-native mobile app code.
In addition, customers could also integrate any leading EMM, MAM or MDM SDK from within Appdome’s Mobility Management category in lieu of or in addition to Appdome’s security features.
And finally, every app built on Appdome automatically gets advanced app hardening with ONEShield by Appdome. ONEShield includes anti-debugging, anti-reversing, app integrity/structure scanning, obfuscation and more.
M2 – Insecure Data Storage
With TOTALData Encryption, customers can instantly encrypt and protect all three states of mobile app data; data-at-rest, data-in-transit and data-in-use in any mobile app by simply clicking a toggle to enable the feature. When enabled, all data within the app (as well as data on the device created by the app) is encrypted so that it cannot be read in the event of a compromise. Optionally, customers can also exclude certain files or file-types from being encrypted. TOTALData Encryption is one of the easiest ways to protect against the OWASP mobile top 10 rists.
M3 – Insecure Communication
Appdome’s Secure Communication validates the authenticity of trusted communication sessions initiated by the app. This includes Trusted Session, SSL Certification, Trusted CA Pinning, Man in the Middle (MiTM) attack prevention, malicious proxy detection, prohibiting stale sessions from reclaiming SessionIDs and Session Control.
M4 – Insecure Authentication & M6 – Insecure Authorization
Under Appdome’s Enterprise Authentication and Mobile Identity category, customers can integrate apps with their existing enterprise authentication and authorization system, choosing from the following options:
- Mobile Enterprise Authentication – Enables apps to leverage authentication schemes such as SAML, OAuth, OpenID Connect, Kerberos, or KCD or a custom IdP when accessing gated resources.
- Cloud Based authentication – Instantly connect any app with your existing cloud identity provider to achieve native mobile SSO in any app.
- Mobile Identity SDK integration – Integrate any app with mobile SDKs for MFA and Biometrics.
- Private ID – Unique to the Appdome Identity Suite, Private ID encrypts and protects cached identity information, such as cookies and credentials, which might otherwise be stored ‘in the clear’ inside the app.
- Direct Broker – Appdome’s Direct Broker feature enables customers to connect their mobile apps directly to their chosen identity provider, without using publicly resolved brokers (which can easily be hacked).
M5 – Insufficient Cryptography
Appdome customers can choose to implement FIPS140-2 certified cryptographic modules for encrypting data. FIPS140-2 can be combined with Appdome’s TOTALData Encryption feature. Additionally, Appdome uses AES-CTR-256 bit encryption for all Data at Rest and Obfuscation implementations. SSL inspection strongly validates authenticity, protocol and encryption settings for Secure Communication and provides an easy way for mobile developers to ensure their apps are using the most secure and robust cryptography available in all their apps. In-App secrets encryption provides seamless standard encryption to all secrets, keys, URLs and sensitive data located in your app. Many apps store such data in either ‘in the clear’ or using older encryption standards that are not regularly updated or maintained (due to the difficulty of changing crypto modules inside apps). Finally with TOTALCODE™ Obfuscation, Appdome’s proprietary binary based obfuscation method, the entire app binary is obfuscated, including the framework and non-native file systems – all without source code or developer implementation required.
M6 – Insecure Authorization
With Appdome for SSO+, or Appdome for Enterprise Authentication options customers can integrate any mobile app with their chosen Identity or IAM solutions, or they can implement standards like OpenID Connect (which cover both authentication and authorization) inside any mobile app. In addition, customers can also add Complex In-App Pincode or Fingerprint Biometric Identity to Android and iOS apps.
M7 – Client Code Quality
ONEShield™ by Appdome is automatically included as part of every Fusion on Appdome. ONEShield includes Anti-Debugging, Anti-Tampering, App Integrity/structure scanning, and Anti-Reversing. Optionally, Appdome’s TOTALCODE™ Obfuscation fully obfuscates the source code of the app as well as the SDK(s) that were Fused to the app.
M8 – Code Tampering
Anti-tampering is included with ONEShield™ by Appdome. Appdome developed multi layered state of the art Anti-debugging and Anti-Tampering techniques that have been pen-tested and approved by high end third party companies. With Appdome, any attempt to dynamically or statically tamper with the application or Appdome’s business logic will result in unexpected behavior.
M9 – Reverse Engineering
Anti-reversing is included with ONEShield™ by Appdome. Add to this that with TOTALCODE™ Obfuscation, Appdome obfuscates the application’s code on the binary level, including non-native source code and with the APPCode Packer feature in TOTALData Encryption, Appdome encrypts all the java code in the app. All this makes reverse engineering of the app impossible.
M10 – Extraneous Functionality
This requirement is covered by an app Structure/integrity scan, which is automatically performed for every app uploaded to the platform.
For more info on how to protect your mobile apps against the vulnerabilities listed in the OWASP Mobile Top 10, Download the Appdome Mobile Security Suite Datasheet.
This blog was first published on Aug 30 2018 and updated on Sept 15, 2019.