There are approximately more than 1.5 million mobile apps available and over a 100 billion mobile app downloads through June 2015.(1) It should come as no surprise that companies and governments alike are adding apps to their digital repertoire. With potential user bases that are both large and dispersed, the benefits of creating mobile apps for government use are significant – but the security risks of deploying custom apps are not illusory.
That’s where mobile app vetting comes in. Mobile app stores often have stringent requirements for admittance, but the admittance process itself remains somewhat of a black box– even for developers. Well, somewhere in that black box, each mobile app that is submitted for approval is vetted for security vulnerabilities. Why is vetting important? Each time a user downloads an app, he grants the app a certain level of access to his data – data that can include sensitive information such as his contacts or location, depending on what the app needs to function properly. In the case of government-developed mobile apps, the required data is often very sensitive in nature and can include both personal and government agency-specific information. If these apps are not completely secured, a third party, with malicious intent, could exploit vulnerabilities to access and manipulate this highly sensitive information, further increasing the importance of mobile app vetting.
There are several tests that can be conducted to vet a mobile app – the most common ones being dynamic and static code analysis. Dynamic code analysis, also known as Dynamic Analysis Security Testing (DAST), requires the mobile app to be running as analyzers identify behaviors that leave it susceptible to potential attacks. In contrast, static code analysis, also known as Static Analysis Security Testing (SAST), entails scanning source code to highlight areas of weakness in syntax, data storage, and architecture. Static code analysis, in particular, can be used to scan the app iteratively in the earliest stages of development, providing the broadest overall coverage from start to finish.
If mobile apps can be vetted iteratively throughout their development lifecycle, why not do so? Deloitte Digital worked with a large U.S. Federal government client to create an automated mobile app vetting solution that allows developers to conduct static code analysis as they’re developing. This solution has three key components that enable automatic, iterative vetting: the code repository hosting service, the continuous integration server, and the static code analyzer. A code repository hosting service enables developers to upload their code, track and assign defects, manage version control, and run automated tests. A continuous integration server covers some of the same ground in that it supports better version control and collaboration, but the server is able to take code from a developer’s repository and compile it in order to run the automated tests on a continuous basis. The automated app vetting process requires one-time set-up for each mobile app project before a developer can continuously and iteratively scan his or her code as it is being developed.
Each time a developer makes a change to his code repository, the static code analyzer scans his mobile app and a report is generated that tells him exactly where the vulnerabilities are. These reports also provide recommendations on how these vulnerabilities should be resolved to meet enterprise-level security standards. Once a developer has fixed the various vulnerabilities, he can push the updated code to the code repository and the whole process begins again. With this transparent self-service model, developers are able to navigate security requirements and adapt their code accordingly, rather than wait until they’ve nearly finalized a release-ready product to discover their app’s vulnerabilities.
In an age where cyber-attacks and data breaches have become commonplace, it’s necessary to be proactive about protecting every part of our devices that contain or access sensitive information. Mobile app vetting is one more way of helping to protect government and personal data– and with a self-service app vetting solution, developers can be part of that process.
(1) Source: http://techcrunch.com/2015/06/08/itunes-app-store-passes-1-5m-apps-100b-downloads-30b-paid-to-developers/