Avast's App Triage Program Provides Free Security Assessment for Mobile Apps -- Prior To Launch

Avast Mobile Enterprise is launching a free service to help mobile app developers locate and diagnose security vulnerabilities in their apps – before it gets launched.  Learn how to test your app’s security – for free -- with the Avast’s App Triage Program.

Tags: apps, audit, Avast, BYOD, cybercrime, datajacking, hacker, malware, mobile, OWASP, ransomware, security, vulnerabilities,

As mobile apps continue to penetrate the enterprise, they have also become more attractive targets to cybercriminals.

 

Avast Mobile Enterprise is launching an App Triage Program, a free service that aims to help enterprise security teams and mobile app developers locate and diagnose exposures and vulnerabilities within their apps.

 

The new App Triage Program is designed to help companies identify security gaps in their apps, and safeguard against them from from malware, data leakage, insider threats and other datajacking attacks, according to Sinan Eren, general manager of Avast Mobile Enterprise.

 

It leverages Avast Mobile Enterprise’s deep expertise in security testing to locate exposures on both the front-end and back-end of in-house custom Android mobile apps and third-party apps in Google Play, Eren said.  “[D]evelopers generally design enterprise mobile apps with usability in mind, and security as an afterthought.  The focus on [app] usability increases the potential for flaws and vulnerabilities within the apps that can be actively exploited,” he added in a statement.

 

In a recent blog post, Dawn van Hoegaerden, senior director of corporate marketing at Avast Software, offered additional perspective on the need for thoroughly checking out apps:

We live in a world crazed by apps. There are so many apps for all activities -- and so many new apps born every day -- that it's hard to tell if it's just a digital fad that will eventually be replaced or a new, permanent fixture in our business and social lives. So it's no surprise that more and more employees turn to apps to get things done -- especially with BYOD practices in place, since they depend almost entirely on using apps to complete tasks.

We're not saying all apps are bad. They offer many advantages, notably speed and mobility. A company that effectively uses apps has a distinct competitive edge and much more options for structuring an adaptable workplace. However, using app-based solutions also invites certain vulnerabilities -- vulnerabilities that businesses are rarely aware of when they sign up. One of the problems here is a lack of knowledge about what an app actually does and doesn't do.

“Each mobile app is unique and different in any environment, and becomes more diverse or complex as it is adapted to specific organizational needs. Even third-party apps are often tweaked during enterprise implementation,” Eren noted.

 

The results provide companies valuable vulnerability information by conducting a full security audit of each individual mobile app.

 

Avast’s App Triage Program conducts a full security audit of each individual mobile app.  After the audit is complete, the program delivers a report outlining valuable vulnerability information, such as: known security flaws and vulnerabilities,  rated severity of the flaws, and recommendations on how to remove these vulnerabilities – or ways to best protect them from being exploited.

 

Under the Covers: A Deeper Look at Avast’s App Triage Program

Avast’s App Triage Program conducts a full security audit of each individual mobile app.  After the audit is complete, the program delivers a report outlining valuable vulnerability information, such as: known security flaws and vulnerabilities,  rated severity of the flaws, and recommendations on how to remove these vulnerabilities – or ways to best protect them from being exploited.

 

Identifiable flaws map to many top security gapes, and align with many top threats outlined by the OWASP Mobile Security Project, These include:

  • Lack of account lockout
  • Vulnerability to reverse engineering attack
  • Authentication bypass
  • Hardcoded passwords and other sensitive information
  • Insecure storage
  • Insecure configurations

 

Avast’s App Triage Program looks for and locates some of the most dangerous – and often overlooked – reasons for security lapses in mobile apps, including:

Security of SSL/TLS Deployment: identifies issues in SSL/TLS including man-in-the-middle detection, certificate pinning, transport layer security extensions and configuration options, certificate authority root validation, and incorrect use of embedded certificates and private keys.

 

Insecure storage of sensitive information: assesses the handling of stored personal and private information by apps and APIs connecting apps to back-end servers.

 

Insecure uses of cryptography: evaluates the security of the deployment and underlying cryptographic algorithms in mobile apps in-transit and at-rest.

 

Insecure Server API Authorization/Authentication mechanisms and credential storage: identifies flawed, non-existent or weak authentication methods that expose sensitive user information.

 

Server API Web-related vulnerabilities: identifies common web app vulnerabilities present in back-end/cloud services connected to the mobile app including SQL injection, cross-site scripting and cross-site request forgery.

Developers and security professionals can submit a mobile app for a free audit on the Avast App Triage Program page (registration required).




back