Covid-19 and the work-from-home revolution have placed new security demands on the mobile apps used for work. To respond, more and more enterprise IT and internal security teams are demanding that internally developed and 3rd party Android and iOS mobile apps pass penetration testing (a.k.a. pen testing), vulnerability assessments, and code scans before being deployed to mobile employees. When these enterprise mobile applications fail pen-testing or vulnerability scans, the consequences can be roadblocks in deployment, canceled projects, degraded employee productivity, and harsh employee feedback.
‘Enterprise mobile apps’ are Android and iOS applications used for work, including remote or fieldwork, and mobile apps used in the workplace by employees, consultants or partners, to access and create work-related resources and data or perform daily tasks. These mobile applications have quickly become the backbone of how modern work gets done. And, enterprises have recognized the dangers of using unprotected apps the hard way. To keep pace with the growing demand, security and internal IT teams are conducting mobile penetration tests or running automated vulnerability scans on enterprise apps used for work.
Enterprise Pen tests and Vulnerability Scans are a Good Thing
Pen tests and vulnerability scans of apps used for work are a good thing. Today’s modern employees work-from-home, are remote, and part of an increasingly mobile-first workforce. For these employees, mobile apps for work, i.e., to complete tasks, upload data, create content, and access enterprise data is a must.
Penetration tests and vulnerability scans offer Enterprise IT and security teams an easy way to assess the strength of a mobile application’s security, protection, and defenses. These tools and methods are designed to find and exploit vulnerabilities in the app’s security model, using the same methods and tools that a hostile attacker would use against the Android and iOS app in the wild. Vulnerability scans are typically automated, while penetration tests can involve highly trained human security experts who manually hack mobile apps. Both attempt to find weaknesses in the app’s defenses using a mix of static and dynamic reverse engineering techniques. And a large majority of the time, major issues are found. If reverse engineering is new to you, you can check out my previous posts on reversing iOS apps and reversing Android apps.
You Failed An Enterprise Pen Test or Vulnerability Scan, Now What?
So, you’re building a mobile app for work, and that mobile application fails a pentest or vulnerability scan – What now?
Enterprise IT and Security departments will get the results of a vulnerability scan or pentest. If the security assessment of the enterprise iOS or Android app turns up security gaps and vulnerabilities, here are the top questions faced by IT, Security and Development teams when an enterprise mobile app fails a pentest:
- Who addresses the pen test results?
- Which issues are most important to fix?
- How long will it take to address the issues raised in the pen test or vulnerability scan?
- How can you implement security protections without delaying your mobile app release?
- Does your team have the time or experience to implement mobile app security best practices in your enterprise mobile app?
Naturally, an organization might look to solve these problems internally (via DIY security) or using an existing solution (such as a mobile management system or UEM/MAM/MDM). Most enterprises might have a mobile management solution in place, such as Microsoft Intune, VMware Workspace ONE, or Blackberry Dynamics. So let’s start there.
Will a UEM or MAM Solution Alone Ensure Mobile Apps Pass a Penetration Test?
Short answer: No. Mobile management systems, like UEM and MAM solutions, are not enough to pass a pentest or vulnerability scan.
Mobile management systems, like UEM and MAM solutions, serve an important purpose in managing app access and enforcing policies around data protection, DLP (like copy-paste protection) and in some cases VPN access to protected resources. Appdome has great partnerships with all leading UEMs (such as Intune or VMware). But these solutions will not help enterprise app makers pass a penetration test because they are not designed to protect the app itself, prevent hacking, or protect against static and dynamic analysis. This IT Security Guru article does an excellent job of discussing the differences between UEM-MAM and true app protection.
Pentests and vulnerability scans specifically look for vulnerabilities or weaknesses in mobile application code and 3rd party libraries, by exploiting or abusing components that the mobile app interacts with. Even if you implemented a UEM or MAM solution, thinking it would address the vulnerabilities found in the penetration test, when you re-scanned the app or conducted a new penetration test, you are very likely to find the exact same set of vulnerabilities. Bottom line, UEM-MAM doesn’t prevent what hackers (and pen testers) can do. To give just a few examples, UEM-MAM solutions don’t provide obfuscation for the app. These solutions also don’t protect apps against dynamic attacks, such as malicious debugging, tampering, or modifying the binary. They also do not protect against static reverse engineering, such as decompiling, disassembling apps to access and understand the source code. All mobile management solutions focus on policy control and sandbox data protection only and provide little to no protection against attacks on the app itself or the app’s source code. You shouldn’t expect your mobile management solution or SDK alone to ensure you’ll pass pen tests, or address code scanning vulnerabilities.
How to Pass a Pentest or Scan of Enterprise Mobile Apps
In order to pass a mobile pentest requires a multi-layered mobile app security defense that protects the app, source code, data, and networking elements. Generally, a layered defense consists of the following mobile application security best practices:
- Anti-tampering, anti-debugging, anti-reversing, emulator prevention
- Preventing binary patching, changing system-level files, and other forms of unauthorized changes to the application
- Jailbreak and Root Prevention
- Data Encryption (encrypt data at rest stored in the sandbox, XML strings, resources, preferences, dex files, and offline data)
- Code Obfuscation (native and non-native code, libraries, relocate control flows, and strip debug info).
- Secure Communications (MitM attack prevention, certificate pinning and validation, TLS enforcement, Cipher suite enforcement, etc)
Check out this post to learn the 5 Steps you can take immediately that will ensure your iOS or Android app can pass a mobile penetration test – guaranteed.
If you want to learn more about any of these features or see them in action, request a demo using the button below, and see how Appdome helps mobile developers automate mobile app security implementations and pass mobile penetration tests – for any app framework, and without changing source code or developer workflows.