Build Bulletproof Mobile Apps with OWASP MAS

By Brian Reed, Chief Mobility Officer at NowSecure 

Mobile apps drive over 70% of internet traffic and consume 88% of all mobile time, making them essential for organizations seeking to boost revenue, connect with customers and gain insights to improve products and services. At the same time, the rise in mobile app traffic increases risk for organizations that fail to prioritize security. This puts pressure on mobile app developers to rapidly develop and deliver high-quality, secure mobile apps that drive innovation and meet the needs of the business.

To manage the risks of the mobile threat landscape, the Open Web Application Security Project (OWASP) developed the Mobile Application Security (MAS) flagship project to establish a common foundation for mobile app security requirements. In addition to providing industry standards, OWASP MAS educates mobile app devs, architects, security analysts, and security engineers about the necessary tools, techniques, and methodologies required to ensure the security of mobile apps across the entire development lifecycle and through production operations.

Mobile app devs should understand the main principles of the OWASP MAS project and the most common mobile app security issues so they can consistently design, build, develop, and test mobile apps with security in mind. Devs that use the OWASP MAS standards frequently report higher performance, efficiency, and release predictability while reducing risk.

The Core Components of OWASP MAS

Mobile app devs that want to secure their mobile apps should apply the three main components of OWASP MAS project:

• Mobile Application Security Verification Standard (MASVS): OWASP created the MASVS to provide a comprehensive list of requirements mobile app devs can use to ensure Android and iOS mobile apps maintain an adequate level of security. The requirements satisfy three key objectives:
  • Use as guidance – Provide security guidance during all phases of mobile app development and testing;
  • Use as a metric – Provide a security standard against which mobile apps can be compared by developers and application owners;
  • Use during procurement – Provide a baseline for mobile app security verification.
• Mobile Application Security Testing Guide (MASTG): This manual provides mobile app devs with the essential information they need to build securely, offering technical advice on secure coding practices, threat modeling, vulnerability assessment, penetration testing, and risk management. Devs can also learn about proper testing techniques, including threat modeling, pen testing, and risk assessment.
• Mobile Application Security (MAS) Checklist: Mobile app devs can access the MAS checklist to ensure their mobile apps get tested across all categories specified by MASVS. These categories include architecture, design and threat modeling, data storage and privacy, cryptography, authentication and session management, network communication, platform interaction, code quality, and build setting and resilience.

Mobile AppSec Issues to Know

To create the most effective standards-based mobile AppSec strategy, devs should familiarize themselves with the most common issues found in insecure mobile apps.

• Improper Data Storage: NowSecure research finds that 50% of mobile apps tested against MASVS improperly store Personally Identifiable Information (PII). This issue has serious implications for mobile apps developed for highly regulated industries, such as finance and healthcare, where security breaches can lead to serious consequences. Devs should verify passwords, cryptographic keys, and other credentials following MASVS data storage techniques. Additionally, sensitive data inputs should never be cached or appear in application logs, and devs should use native operating system configurations for storage.
• Weak Cryptography: Devs often log vast amounts of sensitive data for debugging purposes at different stages of the pipeline. But threat actors can access advanced tools to reverse engineer weak algorithms, creating opportunities to steal PII with ease. Devs should avoid weak or outdated first and third-party crypto algorithms to shield against reverse engineering tools, deploy pseudorandom number generators, and use white-box cryptography for maximum protection.
• Weak Authentication & Session Mgmt: Inactivity or invalidated sessions can make it easy for attackers to breach mobile apps. Devs should prevent inactive sessions from running too long, and make sure data stays hidden when users push mobile apps to the background. They should also avoid permissions and authentication on the client side because threat actors may uncover the mechanisms for session management and generate their credentials.
• Insecure Network Communications: Insecure network activity allows threat actors to intercept PII when communication between the mobile app and remote service endpoints lacks encryption. Much like the issues with improper data storage, insecure mobile app network connections can be particularly concerning for mobile apps for highly regulated industries. Certificate pinning can help devs ensure communications remain connected to the intended server so sensitive data doesn’t fall into the wrong hands. Devs should also use Android and iOS-specific security APIs and white-box cryptography for additional protection.
• Poor Code Quality and Build Settings: NowSecure benchmark testing finds that 47% of mobile apps have code quality issues, which can lead to major security breaches if left unchecked. These issues range from debug symbols left in the code, to bugs found in unverified third-party libraries. Devs should learn secure coding techniques to avoid flaws in their own code and consistently review and update third-party libraries.
• Lack of Resiliency against Reverse Engineering: Healthcare apps, financial services apps, and gaming apps are subject to extensive attempts at reverse-engineering by some of the world’s most skilled and persistent threat actors. App owners and build engineering should obfuscate code either through open-source techniques or 3rd party tools. In addition, app owners and build engineers need to protect against tampering by adding the ability to monitor apps that are released into the wild. Finally, app owners need to add the ability to shut down or at least deprecate the functionality of apps in the wild that have been compromised.

Organizations can use a variety of tools and techniques to confirm that devs properly implement MASVS principles throughout the pipeline. Integrated automated testing tools with built-in remediation tips help devs resolve security bugs quickly and efficiently. Guided testing combines the benefits of manual and automated security testing by allowing automated testing to run continuously in the background, while a human security analyst periodically intervenes to test intricate security features that require a human touch. Additionally, adding anti-tampering measures before deployment provides an extra layer of protection by preventing reverse-engineering and monitoring for unsafe environments such as jailbroken/rooted devices or emulators. An automated policy engine ensures that devs comply with secure development principles based on MASVS from pre-production to deployment.

By following the core components of the OWASP MAS project, leveraging automated testing tools, learning secure coding practices, understanding the most common security flaws within mobile apps, and adding resiliency, devs will have the tools and skills needed to build bulletproof mobile apps. Devs can learn more about how to improve the security of mobile apps with OWASP MAS by watching the NowSecure/Digital.ai webinar MASVS Team Up: Bulletproof Mobile Security from Dev Through Prod and Digital.ai’s short informational video Build Secure Software.

About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev, and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus, and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs, and industry ecosystem. With more than 25 years of building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.