Security Experts:

IBM Focuses on iOS App Security With New AppScan Release

IBM's MobileFirst initiative is putting a focus on iOS application security with the release of a new product aimed at developers.

With IBM AppScan Source 8.7 for iOS, the company is looking to improve the security quality of iOS applications without sacrificing time-to-market. The move follows the release of IBM AppScan for apps running on Google Android.

IBM LogoAccording to IBM, IBM AppScan Source 8.7 for iOS includes complete language support for Objective-C, JavaScript and Java and is compliant with both the Federal Information Processing Standards (FIPS) Publication 140-2 and Internet Protocol version 6 (IPv6). It also supports thousands of mobile security application programming interfaces (APIs), with the API profiles being added to the IBMAppScan Source Security Knowledgebase and tied to the analysis engine.

"The real power of AppScan arises from how it performs vulnerability analysis - by using the full trace analysis technique," explained Vijay Dheap, mobile security strategist at IBM. "Essentially it traces the data flows within an application - data sources to data sinks.  In order to perform this type of analysis we have had to do perform security analysis on 20,000-plus APIs for iOS - similar to the research we did for Android's 20,000-plus APIs."  

Not only does this help the developer understand the places in the app where vulnerabilities may arise but also provides developers and security analysts awareness of the role of specific API calls play in leading to a vulnerability, he said. Additionally this approach reduces the number of false positives.  

"In short development lifecycles developers can prioritize fixing vulnerabilities rather than being overwhelmed by just verifying if a vulnerability is real having a grasp of the APIs and why its use is causing a vulnerability, the developer learns for future development activities improving developer productivity with each iteration," Dheap said. "Another key differentiator of the AppScan solution is that it automates the process of vulnerability analysis so that it can be seamlessly incorporated into the software development lifecycle."

AppScan also captures data entering at various points such as log files and property lists and uses several rules to detect client data injection vulnerabilities, Dheap said.

"Over the last four years, KiwiTech has developed hundreds of iOS and Android mobile applications for organizations around the world. As the risk from mobile malware and data leakage grows, our customers are looking for ways to secure their iOS and Android applications and protect corporate data,” said Rakesh Gupta, Chief Executive Officer at KiwiTech, in a statement. “The new IBM AppScan product will allow us to proactively secure mobile applications and automate security testing to ensure our customers can keep pace with constant updates."

IBM AppScan Source 8.7 for iOS will be available March 25th.