Every year, OWASP releases reports on the top 10 most critical web and mobile application security risks, powerful awareness documents for application security that represent a broad consensus about the most critical security risks to apps. The OWASP community believes that “adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code”.
The Appdome Mobile Security Suite can help any mobile developer protect their app against the OWASP Mobile Top 10 risks.
Appdome’s Mobile Security Suite offers no-code, on-demand advanced app protection in 5 distinct categories. Protection against the OWASP Mobile Top 10 risks can be added to any Android and iOS app, developed in any framework including Xamarin, React Native, Cordova, xCode and others. Developers and non-developers can bring any .ipa or .apk binary to Appdome. There, they select one or multiple features from the list below using a simple point-and-click UI, and click the big green Fuse My App button to add security to their Android or iOS app in seconds – no code or coding required!
Here’s how Appdome’s Mobile Security Suite protects mobile apps against the OWASP Mobile top 10 risks
M1 – Improper Platform Usage
Customers can leverage Appdome to address this requirement by Fusing one or more features from Appdome’s Mobile Security Suite:
- Data Loss Prevention – Encrypt all data-at-rest and govern Copy/Paste protection.
- OS Integrity – Detect when a device was Jailbroken/Rooted and prevent installation of Fused app.
- Secure Communication – Add Trusted Session Inspection, an advanced MiTM solution that also verifies the SSL connection to the Fused app.
- Privacy – Blur the application screen and add in-app pincode/fingerprint to the Fused app.
In addition, customers could also integrate any leading EMM, MAM or MDM SDK from within Appdome’s Mobility Management category in lieu of or in addition to Appdome’s security features.
And finally, every app Fused on Appdome automatically gets advanced app hardening with ONEShield by Appdome. ONEShield includes anti-debugging, anti-reversing, app integrity/structure scanning, obfuscation and more.
M2 – Insecure Data Storage
Customers can instantly add Data-at-Rest Encryption to any mobile app by simply clicking a toggle to enable the feature. When enabled, all data within the app (as well as data on the device created by the app) is encrypted so that it cannot be read in the event of a compromise. Optionally, customers can also exclude certain files or file-types from being encrypted. DAR is one of the easiest ways to protect against the OWASP mobile top 10 rists.
M3 – Insecure Communication
Appdome’s Trusted Session Inspection validates the authenticity of trusted communication sessions initiated by the app. This includes SSL Certification, Trusted CA Pinning, Man in the Middle (MiTM) attack prevention, malicious proxy detection and Prohibiting stale sessions from reclaiming SessionIDs.
M4 – Insecure Authentication & M6 – Insecure Authorization
Under Appdome’s Mobile Identity category, customers can integrate apps with their existing enterprise authentication and authorization system, choosing from the following options:
- Mobile Enterprise Authentication – Enables apps to leverage authentication schemes such as SAML, OAuth, OpenID Connect, Kerberos, or KCD or a custom IdP when accessing gated resources.
- Cloud Based authentication – Instantly connect any app with your existing cloud identity provider to achieve native mobile SSO in any app.
- Mobile Identity SDK integration – Integrate any app with mobile SDKs for MFA, Advanced PKI, Biometrics and more.
- Private ID – Unique to the Appdome Identity Suite, Private ID encrypts and protects cached identity information, such as cookies and credentials, which might otherwise be stored ‘in the clear’ inside the app.
- Direct Broker – Appdome’s Direct Broker feature enables customers to connect their mobile apps directly to their chosen identity provider, without using publicly resolved brokers (which can easily be hacked).
M5 – Insufficient Cryptography
Appdome customers can choose to implement FIPS140-2 certified cryptographic modules for encrypting data. FIPS140-2 can be combined with Appdome’s Data at Rest Encryption feature. Additionally, Appdome uses AES-CTR-256 bit encryption for all Data at Rest and Obfuscation implementations. SSL inspection strongly validates authenticity, protocol and encryption settings for Secure Communication and provides an easy way for mobile developers to ensure their apps are using the most secure and robust cryptography available in all their apps. In-App secrets encryption provides seamless standard encryption to all secrets, keys, URLs and sensitive data located in your app. Many apps store such data in either ‘in the clear’ or using older encryption standards that are not regularly updated or maintained (due to the difficulty of changing crypto modules inside apps). Finally with TOTALCODE™ Obfuscation, Appdome’s proprietary binary based obfuscation method, the entire app binary is obfuscated, including the framework and non-native file systems – all without source code or developer implementation required.
M6 – Insecure Authorization
With Appdome for SSO+, or Appdome for Enterprise Authentication options customers can integrate any mobile app with their chosen Identity or IAM solutions, or they can implement standards like OpenID Connect (which cover both authentication and authorization) inside any mobile app. In addition, customers can also add Complex In-App Pincode or Fingerprint Biometric Identity to Android and iOS apps.
M7 – Client Code Quality
ONEShield™ by Appdome is automatically included as part of every Fusion on Appdome. ONEShield includes Anti-Debugging, Anti-Tampering, App Integrity/structure scanning, Anti-Reversing, and Encryption of strings, resources and in-app preferences. Optionally, Appdome’s TOTALCODE™ Obfuscation fully obfuscates the source code of the app as well as the SDK(s) that were Fused to the app.
M8 – Code Tampering
Anti-tampering is included with ONEShield™ by Appdome. Appdome developed multi layered state of the art Anti-debugging and Anti-Tampering techniques that have been pen-tested and approved by high end third party companies. With Appdome, any attempt to dynamically or statically tamper with the application or Appdome’s business logic will result in unexpected behavior.
M9 – Reverse Engineering
Anti-reversing is included with ONEShield™ by Appdome. And with TOTALCODE™ Obfuscation, Appdome obfuscates the application’s code on the binary level, including non-native source code. This makes reverse engineering of the app impossible.
M10 – Extraneous Functionality
This requirement is covered by an app Structure/integrity scan, which is automatically performed for every app uploaded to the platform.
For more info on how to protect your mobile apps against the vulnerabilities listed in the OWASP Mobile Top 10, Download the Mobile App Security Datasheet.