High-Tech Bridge has announced that a free online service “Mobile X-Ray” to test mobile application security and privacy. The new service performs dynamic (DAST), static (SAST) and behavioral analysis of native and hybrid iOS and Android apps. It promptly detects the wide spectrum of most common weakness and vulnerabilities, including OWASP Mobile Top Ten, and provides a user-friendly report with remediation guidance.
Recently, Uber’s mobile app was caught with a dubious capacity to silently take screenshots of user’s phone screen. Just before, Equifax had to remove their mobile applications from the app stores due to interceptability of sensitive data. Now, anyone can proactively detect similar problems using the free service.
Since the beginning of this year, High-Tech Bridge’s award-winning Application Security Testing (AST) platform ImmuniWeb® offers the most comprehensive testing of mobile applications and their backends, using a hybrid security testing approach and a machine learning technology. Below are 2017 statistics, obtained from mobile apps tested by ImmuniWeb® Mobile:
Mobile backend:
- 88% of API and Web Services used in the mobile backend contain exploitable vulnerabilities allowing access to sensitive or even confidential data;
- 69% of API and Web Services used in the mobile backend do not have sufficient anti-automation mechanisms or protections (e.g. WAF) against common web attacks.
Android applications:
- At least one OWASP Mobile Top Ten vulnerability was found in 97% of applications;
- Over 78% of applications have at least one high and two medium risk vulnerabilities;
- Over 63% of applications have no or weak encryption when sending or receiving sensitive data;
- Every second application contains hardcoded encryption keys, credentials or other sensitive data;
- Over 56% of applications use exceeding or undocumented entitlements, thus endangering privacy;
- Less than 5% of applications use anti-debugging mechanisms to impede reverse-engineering;
- Less than 30% of applications follow secure-coding best practices and guidelines.
iOS applications:
- At least one OWASP Mobile Top Ten vulnerability can be found in 85% of applications;
- Over 69% of applications have at least one high and two medium risk vulnerabilities;
- Over 50% of applications have no or weak encryption when sending or receiving sensitive data;
- Every second application contains hardcoded encryption keys, credentials or other sensitive data;
- Over 40% of applications use exceeding or undocumented entitlements, thus endangering privacy;
- Less than 9% of applications use anti-debugging mechanisms to impede reverse-engineering;
- Less than 20% of applications follow secure-coding best practices and guidelines.
Ilia Kolochenko, CEO and Founder of High-Tech Bridge, says: “Mobile applications have become an inseparable part of everyday business and private life. In light of skyrocketing data breaches, many different research reports urge to enhance mobile application security and privacy. Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.
We should however, keep in mind that the most dangerous and detrimental vulnerabilities mainly lay in the mobile backend that can be reliably detected using ImmuniWeb® Mobile. It also provides advanced manual testing of business logic and identify other complicated flaws undetectable in full automation.”