Web security company High-Tech Bridge announced on Thursday the launch of a free online service that allows mobile application developers to test their iOS and Android apps.
Mobile X-Ray can test native and hybrid applications, including security and privacy aspects, using dynamic application security testing (DAST), static application security testing (SAST), data encryption testing for communications with APIs and web services, and behavioral analysis.
The service looks for the most common types of vulnerabilities, including ones covered by the OWASP Mobile Top Ten, and provides a user-friendly report that includes remediation guidance. The test results include examples of both insecure and secure code.
In the case of Android apps, developers can upload the APK to Mobile X-Ray, but iOS apps can only be tested if they are compiled as a Simulator app in Xcode.
A test scan conducted by SecurityWeek for the latest beta version of WhatsApp for Android revealed five high severity issues, including hard-coded encryption keys, the use of a weak initialization vector, the use of an intent filter, and the existence of a clear text database. While not all these weaknesses may be exploitable, the test informs developers of the potential issues they need to look into.
The assessment can take less than a minute, but it can also take up to a couple of hours, depending on application complexity and overall system workload.
“Mobile applications have become an inseparable part of everyday business and private life. In light of skyrocketing data breaches, many different research reports urge the enhancement of mobile application security and privacy,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge. “Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.”
While the Mobile X-Ray tool can be highly useful for application developers, many critical vulnerabilities exist in backend systems, for which High-Tech Bridge recommends its ImmuniWeb Mobile product.
Data obtained by the security firm via its ImmuniWeb Mobile product shows that 88% of APIs and web services in the backend are affected by vulnerabilities that allow access to sensitive data, and 69% of APIs and web services do not include mechanisms for mitigating common web attacks.
Nearly all the Android applications tested by High-Tech Bridge had at least one vulnerability covered by the OWASP Mobile Top Ten, and more than 78% of them had at least one high and two medium risk flaws.
In the case of iOS apps, 85% were found to have at least one of the top OWASP vulnerabilities, and roughly 69% had at least one high and two medium risk security holes.