SEWORKS-blog_banner.png

App Security Insights

Vulnerability Scanning: Don't Fail because you Didn't Do It

Mar 19, 2018 12:30:22 PM / by AppSolid Team

Vulnerability-Scanning-Dont-Fail-because-you-Didnt-Do-It-Blog-IMG.jpg

Not sure if you need to take the step of vulnerability scanning in your mobile application development? Think again! As its name suggests, vulnerability scanning seeks and finds potential vulnerabilities that may exist within the structure of your mobile app.

Foregoing this critical item in the creation process could open your app to countless problems, up to and including a full security breach of every user that accesses it. Issues like this can cause a company to face:

  • lawsuits that result in penalties and fines
  • degradation of your company’s reputation
  • public relations nightmares (i.e. bad publicity), and
  • the potential of filing for bankruptcy, or
  • going out of business completely

These aren’t just scare tactics. These kinds of things can happen because security breaches can happen with any application. And they have - to even the biggest brand names.

Just ask Equifax, Yahoo!, Microsoft, Uber, and Gmail to name a few. These are companies that pour loads of time, money, and resources into security. Sure, they may be bigger targets, but it does speak to just how far hackers and cyber criminals are willing to go in hopes of wreaking havoc on, well, everyone.

Your apps might have potential leaks that could ease hackers’ entry. As a result this could make yours just as much of a target, if not more of one, than the well known companies.

Think of Vulnerability Scanning Like an Annual Physical

annual-physical-vulnerability-scanning-blog-img.jpg

Every year, we’re supposed to go to the doctor and have a physical performed. We don’t do this because we want to, or because we’re excited to do strip down and have someone examine us. The reason we do it is we want to catch problems early and stop them in their tracks. But, what happens when we don’t go for our annual physical?

If we’re being completely honest, in some cases, everything works out just fine. Many people who don’t have annual physicals remain healthy, and short of getting the flu or a random illness here and there, there’s no problem to be found.

Then again, there are several people who feel and look fine on the surface, but actually have a bug growing inside of them that ultimately makes them too sick to work. In some cases, they’re hospitalized until the bug can be removed. However, in the worst cases, they learn the bug is too big and their bodies can’t fight anymore.

In many cases, getting that annual physical could have prevented the pain and anguish the patient endures. This may sound harsh, but it’s too often true.

Like the patient that could have prevented their own suffering, and potentially worse, your mobile application can be saved from “sickness” or digital death. Vulnerability scanning is like that annual physical - you can check for bugs, and squash them in their tracks.

Not checking for weaknesses could result in your app being taken out of commission completely. In the best case, it will just be offline for days, but it could also be months or years as you work on wiping out the problem/problems.

Your Mobile App Needs to be Checked for Weaknesses

Okay, so you get the health metaphor - performing vulnerability scanning on your mobile application can catch and eradicate its digital bugs and glitches. Now, you may be thinking - but, what vulnerabilities could my mobile app possibly have that could cause trouble down the road?

According to the Open Web Application Security Project (OWASP), as of 2017 the top 10 most critical web application vulnerabilities are:

  1. Injection Flaws
  2. Broken Authentication and Session Management
  3. Sensitive Data Exposure
  4. XML External Entity (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Let’s break these vulnerabilities down a little further, shall we? Since we don’t want to inundate you with content shock, this breakdown will be the shortened version. However, if you wish to do a deeper dive into any of these weaknesses you can read OWASP’s full report here.

Injection Flaws

Three common injection flaws are SQL, OS, and LDAP. A Structured Query Language (SQL) injection is a type of code injection technique that hackers can use to attack applications that are data-driven. An operating system (OS) injection occurs when the operating system and/or its command functions are attacked by a hacker. A Lightweight Directory Access Protocol (LDAP) injection collects and exploits user-supplied information.   

With all three of these injections, a hacker could retrieve the entire database of content from your application, or they could pass malicious code onto your users for a variety of reasons. They might just be data mining, or they could render the application and the phone of the user completely useless. If the user is supplying banking or healthcare information, this could be digital gold in the hands of a cyber criminal.

Broken Authentication and Session Management

If your application uses passwords and usernames, an attacker could not only gain access to that information for your app, but it could unlock passwords and usernames for additional applications.

Consider that many people use the same usernames and passwords for a variety of applications. A hacker gaining access to information from one could then “guess” the login information for other applications such as a user’s bank account, credit cards, and more. Broken authentication and session management vulnerabilities are just what cyber criminals are hoping for to commit crimes like identity theft.

Sensitive Data Exposure

sensitive-data-exposure-blog-img.jpg

There are applications for just about everything these days. From gaming to doctor appointments (complete with full medical files and pharmacy records), banking and financial records, and so much more. This sensitive data is a vulnerability if it’s not encrypted.

Cyber criminals are hoping you won’t scan for vulnerabilities like this because they want easy access to all of the sensitive data that they can get. Now, you might be thinking, my app has nothing to do with sensitive data. However, that doesn’t mean that another vulnerability on this list wouldn’t give a hacker access to sensitive data inside the user’s smartphone.

XML External Entity (XXE)

Extensible Markup Language (XML) is a metalanguage that contains markup symbols that describe a file’s contents or what the page itself is. Flaws within the XML code of a mobile application can allow a cyber criminal to scan a phone for information, obtain data, or distribute a denial of service (DoS) attack where they can disrupt services temporarily or indefinitely to your application and/or the user’s phone.

Broken Access Control

Broken access control occurs when the restrictions on what an authenticated user is allowed to do, are either nonexistent, or not properly enforced. A cyber criminal can take advantage of this by slipping in to access the accounts of other users, see the files that are sensitive in nature, and even modify data or their ability to access things on their phone, or in the application.

Security Misconfiguration

Imagine someone getting access to all of the accounts created by the users of your mobile application, and they never even created an account of their own. This can occur when a hacker gains access to the default accounts, unpatched flaws, unused pages, files that aren’t protected and more.

It’s kind of like how when most people purchase an internet router they receive a default username and password. If the purchaser never changes their username and password, it would be easier for someone else to steal internet access from that person if they guess which router manufacturer is being used.

Default passwords are only meant to get you in the first time. They should be changed regularly, or at least upon the first login, to ensure other people won’t be able to figure out the access information.  

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is what happens when an attacker adds malicious code or script into a legitimate mobile application. When the user opens your mobile application, they will have no idea that anything out of the ordinary is happening, because it will look and feel the same. But, the reality could be the attacker is extracting information from the user via your app.

Insecure Deserialization

Deserialization is the opposite of serialization. Serialization turns objects into data, and deserialization turns data into objects. Insecure deserialization then, occurs when the objects are created from malicious or damaged data. 

When insecure deserialization is occuring, your app could suffer from remote attacks. In other words an attacker can access, and make changes to someone else’s phone or applications, regardless of where they are geographically located.

Using Components with Known Vulnerabilities

If you use components in your application that you know have vulnerabilities, you are practically asking an attacker to exploit it. Many of the elements of your application have the same privileges as the app itself does. Therefore, if there are vulnerabilities in the framework, software of the libraries for example, and you continue using the application anyway without correction - an attacker could cause trouble with other elements in your application via those flawed components.

Insufficient Logging and Monitoring

You should be scanning and monitoring for vulnerabilities in your application regularly. Every day that you are not confirming everything is running smoothly, is another day that cyber criminals have to try and crack into your application.

It’s a good idea to monitor and log the actions of all of your users, just to make sure that no one is doing anything they should not be doing. By keeping an eye on things internally, and doing it often, you’ll be better equipped to catch a glitch or hack, and stop it from continuing.

Scanning for These Vulnerabilities is Easier Than Ever

easy-scanning-blog-img.jpg

AppSolid is the easiest way to protect your mobile application from cyber criminals and hackers. Your app is your business, or at least a part of your business, and it’s crucial that you protect your business assets. It’s also important to protect your users.

Here’s the thing - mobile applications are more popular than ever, and their popularity is on the rise, not the decline. As more businesses create apps, more and more cyber criminals will be doing all that they can to crack and hack their way into them in hopes of either being digital terrorists, or mining all the data they can to steal/make as much money as possible.

If 75% of mobile apps are already failing basic security tests, that’s music to an attacker’s ears, and telling them that apps are the very thing they should keep trying to manipulate and exploit. Stand up to these attackers, and prevent them from making your application another sad statistic. With it being as easy as it is, why wouldn’t you protect yourself?

Think about it - most people don’t drive a car without insurance because they know how costly it can be in the event of an accident. Why are you risking trouble by not having a security solution for your mobile application? If nothing else, it will give you the peace of mind that you’re doing all you can for your business, and your users, to ensure their safety and protection while using your app.

AppSolid scans your mobile application and diagnoses any vulnerabilities. You’ll have results in mere seconds. It doesn’t stop there, though. It also protects your application, and tracks it’s security in real time. You’ll have binary protection in just minutes, with no additional coding required, and you’ll be able to monitor the security of your application so that you can have better control over suspicious activities.

What if You Already Released Your App?

Releasing the app is no excuse for avoiding vulnerability scanning. After all, you can release an update of your application anytime. So, why not check it for weaknesses, correct them if they are there, and re-release a better, safer version? It’s never too late to make your mobile application more secure.

Naysayers may argue that their application has been live for months or years without an attack. Do you really want to stand by that argument? The sad truth is that cyber criminals are watching and looking for app developers with that exact mindset. For all you know they are using your app right now trying to see if they can break into it.

The old adage of “it’s better to be safe than sorry” comes to mind. It couldn’t be more true than with something like scanning a mobile application for weaknesses, correcting them, and protecting it from future risks.

Bottom Line - Vulnerability Scanning IS Necessary

We hope this article has convinced you just how critical vulnerability scanning is for your mobile application. Not only could it prevent unnecessary headaches, it could save your business a lot of money, and from having to close its doors. We’d hate to see your company fail because of something as preventable as neglecting this simple step.

We also announced recently The New Updated Scan by AppSolid. Learn more about that here. If instead you’re ready to get started using AppSolid now in your business, click here to create an account.

safeguard-your-app-with-vulnerability-scanning-cta

Topics: Vulnerability Scanning

Written by AppSolid Team