February 24, 2020

    How to Protect Mobile Applications from Risks Identified in the OWASP Mobile Top 10 and MASVS

    As you may know, the OWASP Mobile Security Project is an output of the the Open Web Application Security Project. OWASP is best known for publicizing reliable content about emerging vulnerabilities in the web application space. The OWASP Mobile Security Project, or MSP for short, formalizes security requirements and best practices within the mobile application domain. 

    In this blog post, I’ll explain why runtime application self-protection (RASP) and code hardening are both necessary to defend against key security risks outlined in the OWASP “Mobile Top 10” and Mobile Application Security Verification Standard (MASVS).

    I’ll share my perspective on the significance of OWASP as a community, the OWASP Mobile Security Project and the OWASP “Mobile Top 10” and MASVS. I  also offer context into how RASP and code hardening specifically remediate each of the vulnerabilities they map to, in accordance with OWASP documentation, to enforce industry best practices and fortify the security posture of mobile applications and SDKs.

    Why the OWASP Mobile Security Project Matters

    The internet is saturated with conflicting information when it comes to mobile security. This makes it challenging, even for security professionals,  to find reliable information. The OWASP Mobile Security Project—specifically the “Mobile Top 10” and “MASVS”—provide reliable frameworks that can act as vital resources when identifying and remediating mobile application vulnerabilities.

    What are the OWASP “Mobile Top 10” and MASVS?

    The OWASP "Mobile Top 10" is a succinct list of the most commonly found risks in the mobile application environment. Many of these security risks arise from a lack of understanding or difficulty implementing; security best practices. The OWASP "Mobile Top 10" serves as an excellent blueprint for developers who want to prioritize security within their mobile application environment but are unsure of where to begin.

    To view a full copy of the OWASP “Mobile Top 10”, click here. The MASVS is available here.

    So what is the difference between the two?

    The Mobile Top 10 can be thought of as the tip of the iceberg. It’s a list of the top 10 categories of security risks that are recommended to prioritize first when approaching mobile application security. In other words, it’s a good starting point for mobile app security, but there’s a bigger picture to be aware of as well.

    The Mobile Application Security Verification Standard, or MASVS, can be thought of as “the rest of the iceberg.” The MASVS is a more complete list of other security risks found in the mobile application space that don’t fall into the "Mobile Top 10." Many, if not all, identified risks are a byproduct of coding that doesn’t adhere to security best practices. The MASVS seeks to highlight these gaps and provide dependable mitigations for the risks they bring about. 

    One of the best ways to protect against several major risks covered by the Mobile Top 10 and MASVS is to implement a combination of runtime application self-protection (RASP) and code hardening, as we’ll explain in more detail below.

    First, let’s go over some definitions quickly.

    How Runtime Application Self-Protection Protects Mobile Apps

    Mobile applications represent a large and rapidly growing attack surface. The tools and techniques used to compromise these environments are constantly evolving. Dynamic attacks allow adversaries the ability to enumerate more and exploit applications faster. These exploits can have a hugely negative impact on affected organizations – as well as mobile app end-users.

    Runtime application self protection (RASP); is security strategy that makes use of runtime instrumentation to provide advanced detection of real-time indicators of threat and compromise. It does this by taking advantage of information from inside the running application. RASP can provide detection for jailbreaking, rooting, hooking and code tampering, in addition to obstruction for debugger and emulator attachments. In other words, RASP provides runtime detection for attacks.

    Not all RASP solutions are created equally, however, so it is very important to understand the must-have features you are looking for. Top vendors offer RASP libraries that help prevent a huge array of dynamic attack vectors by providing both detection and obstruction for indicators of threat, including:

    • hooking

    • jailbreaking

    • rooting

    • code tampering

    • debugger and emulator attachments of all types

    The protection enabled by RASP ensures dynamic (online) attacks remain infeasible for attackers. It also  prevents them from gathering information about the functioning of applications, diminishing their ability to stage more sophisticated attacks.

    How Code Hardening Protects Mobile Apps

    Unprotected Android and iOS applications and SDKs can be reverse engineered with trivial effort using readily available disassemblers and/or decompilers. Using these tools, attackers can access and analyze the source code of mobile applications.

    This allows for a broad range of abuse, including:

    • theft of valuable code

    • cloning of your applications

    • extraction of sensitive information such as API keys and credentials

    • adding malicious code to applications and repackaging them

    Code hardening is a broad category that includes several strategies to defend against these types of attacks. Code hardening is an effective way of protecting both Android and iOS mobile apps against reverse engineering and hacking.

    Code hardening means strengthening and protecting mobile application code at several levels using multiple layers of obfuscation and encryption. Hardened code is resistant to both automated and manual analysis.

    How RASP and Code Hardening Map to the “Mobile Top 10” MASVS

    Sophisticated mobile application security providers like Guardsquare can help defend against three of the security risks published in the OWASP "Mobile Top 10":

    • Insecure Communications (M3)

    • Reverse Engineering (M8)

    • Code Tampering (M9)

    Guardsquare also helps organizations protect against additional insecurities highlighted in the MASVS using a combination of RASP and code hardening. 

    Let’s take a look at how this works in more detail.

    Mapping Code Hardening to the "Mobile Top 10"

    The table below maps code hardening solutions to the "Mobile Top 10" by showing which security risks the software can help defend against. A description of how the software maps to each security risk found in the OWASP "Mobile Top 10" is included.



    What Code Hardening Protects Against

    Vulnerability

    Solution

    M3: Insecure Communication

     

     

    The code hardening measures implemented by DexGuard and iXGuard add additional layers of protection to SSL pinning implementations. These measures cannot correct faulty SSL configuration; they ensure the certificate checks cannot be removed or tampered with, preventing malicious actors from analyzing network traffic through man-in-the-middle (MITM) attacks. 

    M8: Code Tampering

     

     

    DexGuard and iXGuard’s layered code hardening effectively prevents third parties from gaining access to the source code of Android and iOS applications and from modifying it. The applied hardening techniques also ensure the implemented RASP mechanisms (see below) are not removed or tampered with so that they can fully protect applications against attempts to modify their behavior at runtime.

    M9: Reverse Engineering

     

     

    he multiple code hardening techniques DexGuard and iXGuard deploy make it virtually impossible to reverse engineer applications and gain insight into their internal logic. The combined protection offered by techniques such as name obfuscation, string encryption, control flow obfuscation and code virtualization effectively prevent unauthorized parties from finding and exploiting vulnerabilities in the code, stealing IP or extracting sensitive information from it, such as API keys or cryptographic constants and ciphers.

     

    Mapping RASP to the "Mobile Top 10"

    The table provided below maps RASP solutions to the "Mobile Top 10” by showing which security risks the software helps defend against.  Also included is a description of how the software maps to each security risk found in the OWASP "Mobile Top 10.”



    What RASP Protects Against

    Vulnerability

    Solution

    M3: Insecure Communication

    The first step to address insecure communication is to properly configure all networks. From there, DexGuard and iXGuard's runtime protection mechanisms, specifically root or jailbreak detection and hook detection, ensure key aspects of the implementation are protected against tampering. Both DexGuard and iXGuard add specific RASP checks to SSL pinning implementations to prevent them from being altered or removed. The provided security measures work with the SSL pinning library included in DexGuard (Android), Apple’s native SSL library for iOS, and any third party solution.

    M8: Code Tampering

    DexGuard and iXGuard integrate a full suite of configurable integrity checks to protect applications against attempts to modify their intended behavior and alter resources and data. The combined security provided by jailbreak/root detection, hook detection and method swizzling prevention (iOS) ensures apps’ behavior is not modified at runtime. Tamper detection, repackaging detection and certificate checks enable apps and SDKs to detect unauthorized code modifications and to verify the integrity of individual files.

    M9: Reverse Engineering

    The runtime self protection mechanisms provided by DexGuard and iXGuard make dynamic analysis of applications infeasible preventing unauthorized parties from gaining insight into their inner workings. DexGuard and iXGuard’s debugger detection prevent third parties from using debugging tools to analyze specific operations by executing and halting the program at specific points. Their emulator checks make sure applications or SDKs are not being executed in an emulator

     

    On the Build vs. Buy Question for Mobile App Security

    Many development teams think they have what it takes to implement detection for dynamic attacks and protection against reverse engineering  because there is information available on the topic online. However, most teams are not prepared to build and implement a DIY solution capable of ensuring complete security for mobile apps. 

    While many teams do have the skills and experience necessary to fix Mobile Top 10 findings M1-M7 and M10, most do not have the specialized experience and know-how needed to defend against OWASP Mobile Top 10 security risks M8 and M9 (Code Tampering and Reverse Engineering). That’s where a best-in-class application security solution can both simplify the path to building a secure application and save teams money. 

    Not sure it will save money? In a cost-benefit analysis, being proactive about mobile app security is the most cost-effective strategy. Ask anyone who has “recovered” from a major breach. It’s expensive. The average cost per data breach globally is nearly $4 million. In the U.S., that figure doubles to $8 million—again, per incident. 

    For the level of protection and knowledge achieved when investing in a strong RASP and code hardening solution, the ROI is clear. The investment may run into the tens of thousands of dollars, but it will never touch the $4 million cost of the average data breach.

    In summary, only a thoughtful and complete combination of RASP and code hardening is sufficient to secure mobile apps against the full range of attacks outlined in OWASP’s Mobile Top 10 and MASVS. In the majority of cases, it’s best to buy rather than build, and to choose a sophisticated and reliable provider of layered app security. This approach is the best way to ensure apps are fully protected against the wide range of ever-changing attacks.
     

    John Butler - Solutions Engineer

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in