Exadel Leverages OWASP to Reveal Vulnerabilities in Mobile Apps

Posted: June 11th, 2018Author:

With over 2.2 million apps in the Apple App Store and over 3.6 million apps in the Google Play Store, the mobile app ecosystem has soared to become one of the biggest worldwide industries. However, the almost exponential grow of available apps has also provided exponential growth in new opportunities for hackers. According to security firms, mobile malware is now surging throughout the world.

Enter OWASP

To address this massive problem, Exadel, the parent company behind Appery.io, decided to start leveraging the OWASP resource to reveal vulnerabilities in mobile apps. The OWASP Mobile Application Security Verification Standard (MASVS) focuses not just on the mobile applications deployed to end-user devices, but also on the broader server-side infrastructure, which the mobile apps communicate with. As a result, the whole gamut of integration among the mobile application, remote authentication services, and Appery.io cloud platform-specific features is covered.

Using OWASP on an App

Recently, Exadel had the opportunity to review a money-making campus job app developed by two recently graduated entrepreneurs. The security team engaged for the project verified the customer’s hybrid app against the following requirements:

  • Architecture, Design, and Threat Modelling
  • Data Storage and Privacy
  • Cryptography
  • Authentication and Session Management
  • Network Communication
  • Platform Interaction
  • Code Quality and Build Settings
  • Resiliency against Reverse Engineering

After thorough testing, the security experts found that the app failed to meet some safety requirements. MASVS compliance diagrams along with recommendations for improvement were provided:

OWASP MASVS compliance diagram — Appery.io iOS app

OWASP MASVS compliance diagram — Appery.io iOS app

 

OWASP MASVS compliance diagram — Appery.io Android app

OWASP MASVS compliance diagram — Appery.io Android app

The Happy Ending

With all the recommendations addressed, the app was ready to be delivered to the market.