Every year, OWASP releases the top 10 of most critical web application security risks, a powerful awareness document for web application security that represents a broad consensus about the most critical security risks to web applications. The OWASP community believes that "adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code".
The Appdome Mobile Security Suite can help any mobile developer protect their app against the OWASP Mobile Top 10 risks.
Appdome’s Mobile Security Suite offers no-code, on-demand advanced app protection in 5 distinct categories. Protection against the OWASP Mobile Top 10 risks can be added to any Android and iOS app, developed in any framework including Xamarin, React Native, Cordova, xCode and others. Developers and non-developers can bring any .ipa or .apk binary to Appdome. There, they select one or multiple features from the list below using a simple point-and-click UI, and click the big green Fuse My App button to add security to their Android or iOS app in seconds - no code or coding required!
Here's how Appdome's Mobile Security Suite protects mobile apps against the OWASP Mobile top 10 risks
M1 - Improper Platform UsageCustomers can leverage Appdome to address this requirement by Fusing one or more features from Appdome's Mobile Security Suite:
Data Loss Prevention - Encrypt all data-at-rest and govern Copy/Paste protection.
OS Integrity - Detect when a device was Jailbroken/Rooted and prevent installation of Fused app.
Secure Communication - Add Trusted Session Inspection, an advanced MiTM solution that also verifies the SSL connection to the Fused app.
Privacy - Blur the application screen and add in-app pincode/fingerprint to the Fused app.
In addition, customers could also integrate any leading EMM, MAM or MDM SDK from within Appdome's Mobility Management category in lieu of or in addition to Appdome's security features.
And finally, every app Fused on Appdome automatically gets advanced app hardening with ONEShield by Appdome. ONEShield includes anti-debugging, anti-reversing, app integrity/structure scanning, obfuscation and more.
M2 – Insecure Data Storage
Customers can instantly add Data-at-Rest Encryption to any mobile app by simply clicking a toggle to enable the feature. When enabled, all data within the app (as well as data on the device created by the app) is encrypted so that it cannot be read in the event of a compromise. Optionally, customers can also exclude certain files or file-types from being encrypted.
M3 – Insecure Communication
Appdome's Trusted Session Inspection validates the authenticity of trusted communication sessions initiated by the app. This includes SSL Certification, Trusted CA Pinning, Man in the Middle (MiTM) attack prevention, malicious proxy detection and Prohibiting stale sessions from reclaiming SessionIDs.
M4 – Insecure Authentication & M6 - Insecure Authorization
Under Appdome’s Mobile Identity category, customers can integrate apps with their existing enterprise authentication system, choosing from the following:
1. Mobile Enterprise Authentication - Enables apps to leverage authentication schemes such as SAML, OAuth, Kerberos or Custom IdP, when accessing gated resources.
2. Cloud Based authentication - Instantly connect any app with your existing cloud identity provider.
3. Mobile Identity SDK integration - Integrate any app with mobile SDKs for MFA, Advanced PKI, Biometrics and more.
4. Private ID - Unique to the Appdome Identity Suite, Private ID encrypts and protects cached ID information such as cookies and credentials locally on the device.
5. Direct Broker - Unique to the Appdome Identity Suite, Direct Broker verifies ID broker redirection integrity during authentication sessions.
M5 – Insufficient Cryptography
Appdome customers can choose to implement FIPS140-2 certified cryptographic modules for encrypting data. FIPS140-2 can be combined with Appdome’s Data at Rest Encryption feature. Additionally, Appdome uses AES-CTR-256 bit encryption for all Data at Rest and Obfuscation implementations.
SSL inspection strongly validates authenticity, protocol and encryption settings for Secure Communication including TLS vs. SSL versions and used encryption algorithms.
In-App secrets encryption provides seamless standard encryption to all secrets, keys, URLs and sensitive data located in your app. Many apps store such data in clear, or poorly encrypted form.
Finally with TOTALCODE™ Obfuscation, Appdome's proprietary binary based obfuscation method, the entire app binary is obfuscated, including the framework and non-native filesystems without source code or developer implementation.
M6 – Insecure Authorization
Authorization is covered above in M4. In addition, customers can also add Complex In-App Pincode or Fingerprint Biometric Identity to Android and iOS apps.
M7 – Client Code Quality
ONEShield™ by Appdome is automatically included as part of every Fusion on Appdome. ONEShield includes Anti-Debugging, Anti-Tampering, App Integrity/structure scanning, Anti-Reversing, and Encryption of strings, resources and in-app preferences. Optionally, Appdome's TOTALCODE™ Obfuscation fully obfuscates the source code of the app as well as the SDK(s) that were Fused to the app.
M8 – Code Tampering
Anti-tampering is included with ONEShield™ by Appdome. Appdome developed multi layered state of the art Anti-debugging and Anti-Tampering techniques that have been pen-tested and approved by high end third party companies. With Appdome, any attempt to dynamically or statically tamper with the application or Appdome’s business logic will result in unexpected behavior.
M9 - Reverse Engineering
Anti-reversing is included with ONEShield™ by Appdome. And with TOTALCODE™ Obfuscation, Appdome obfuscates the application's code on the binary level, including non-native source code. This makes reverse engineering of the app impossible.
M10 – Extraneous Functionality
This requirement is covered by an app Structure/integrity scan, which is automatically performed for every app uploaded to the platform.
For more info on how to protect your mobile apps against the vulnerabilities listed in the OWASP Mobile Top 10,