We all realize the power of mobile applications helping expand businesses and unlocking their market reach with potential customers.
However, mobile has also expanded the threat vector for malicious actors trying to profit from security vulnerabilities.
In the battle against malicious hackers, companies need to make sure that they are well protected from threats coming from their mobile operations. However, what some seem to forget is that the exposure from mobile isn’t limited to vulnerabilities on the client-side mobile application users download from their provider app store and install on their devices. The bigger risk actually comes from the service running on the backend, serving the requests coming from client-side apps.
Thanks to its support for scanning both the client-side mobile applications and the server-side web-services using a mix of application security testing techniques, HCL AppScan is the only solution that can offer the complete set of technologies to properly test your mobileapplications landscape.
For example, developers can easily examine their own code for security vulnerability using Static Analysis Security Testing (SAST) and use Software Composition Analysis (SCA) to evaluate if third party components they import into their applications have known vulnerabilities.
When it comes to the server side, on top of SAST and SCA, AppScan allows users to scan the backend service using Dynamic Analysis Security Testing (DAST), which imitates the same actions a malicious hacker would use. Interactive Analysis Security Testing (IAST) is also available to monitor the application behavior as it is being interacted with, allowing another layer of testing, that can detect vulnerabilities that may not be easily exposed externally.
Those that have followed AppScan in the past few years, are familiar also with HCL AppScan on Cloud’s Mobile Analyzer for scanning client-side mobile application. The Mobile Analyzer relies on the IAST technology, and in recent months, as we introduced the above mentioned SAST support for mobile languages, we transitioned our usage of the IAST technology to focus on web applications and web services.
Passive IAST offers security analysis at zero time. Its sweet spot is when it runs as part of the pipeline, leveraging the functional testing the QA team already runs. This works great with web applications and web services but not so much when it comes to client-side mobile applications. In order to overcome such limitations, in AppScan we’ve implemented a proprietary crawler to automatically interact with the application. Using this approach, we were able to successfully scan the application, but on average the scan time was over 1 hour while our SAST scans complete in only a few minutes or even less.
With our IAST solution, we are only able to scan iOS and Android applications written in Swift, Objective-C, Android Java and Kotlin, and limited to applications that can run on generic devices. Not supporting applications written for a specific Android manufacturer. With our SAST Solution, in addition to the above 4, we also support ionic, React Native and Xamarin and planning to add more languages and frameworks. With SAST, being device agnostic, we are able to scan the code regardless from the device it is meant for.
As mentioned, IAST monitors the application as it is being interacted with, an IAST solution for mobile requires to involve actual mobile devices. Due to that, Mobile Analyzer was only available on our cloud solution, adding mobile support through SAST made it available also in HCL AppScan Source.
Application security testing such as IAST and DAST test a running application, on one end, this makes them more accurate than SAST, but on the other harder to scan. In order to successfully complete a SAST scan, all that is needed is the application code. There is no need to instantiate backend server, no need to make sure the scanners can reach that backend or provide the login credentials, in fact, one doesn’t even need to be able to compile the application, all that is needed is the application code.