February 24, 2020
How to Protect Mobile Applications from Risks Identified in the OWASP Mobile Top 10 and MASVS
Written by: John Butler - Solutions Engineer
As you may know, the OWASP Mobile Security Project is an output of the the Open Web Application Security Project. OWASP is best known for publicizing reliable content about emerging vulnerabilities in the web application space. The OWASP Mobile Security Project, or MSP for short, formalizes security requirements and best practices within the mobile application domain.
In this blog post, I’ll explain why runtime application self-protection (RASP) and code hardening are both necessary to defend against key security risks outlined in the OWASP “Mobile Top 10” and Mobile Application Security Verification Standard (MASVS).
I’ll share my perspective on the significance of OWASP as a community, the OWASP Mobile Security Project and the OWASP “Mobile Top 10” and MASVS. I also offer context into how RASP and code hardening specifically remediate each of the vulnerabilities they map to, in accordance with OWASP documentation, to enforce industry best practices and fortify the security posture of mobile applications and SDKs.
Why the OWASP Mobile Security Project Matters
The internet is saturated with conflicting information when it comes to mobile security. This makes it challenging, even for security professionals, to find reliable information. The OWASP Mobile Security Project—specifically the “Mobile Top 10” and “MASVS”—provide reliable frameworks that can act as vital resources when identifying and remediating mobile application vulnerabilities.
What are the OWASP “Mobile Top 10” and MASVS?
The OWASP "Mobile Top 10" is a succinct list of the most commonly found risks in the mobile application environment. Many of these security risks arise from a lack of understanding or difficulty implementing; security best practices. The OWASP "Mobile Top 10" serves as an excellent blueprint for developers who want to prioritize security within their mobile application environment but are unsure of where to begin.
To view a full copy of the OWASP “Mobile Top 10”, click here. The MASVS is available here.
So what is the difference between the two?
The Mobile Top 10 can be thought of as the tip of the iceberg. It’s a list of the top 10 categories of security risks that are recommended to prioritize first when approaching mobile application security. In other words, it’s a good starting point for mobile app security, but there’s a bigger picture to be aware of as well.
The Mobile Application Security Verification Standard, or MASVS, can be thought of as “the rest of the iceberg.” The MASVS is a more complete list of other security risks found in the mobile application space that don’t fall into the "Mobile Top 10." Many, if not all, identified risks are a byproduct of coding that doesn’t adhere to security best practices. The MASVS seeks to highlight these gaps and provide dependable mitigations for the risks they bring about.
One of the best ways to protect against several major risks covered by the Mobile Top 10 and MASVS is to implement a combination of runtime application self-protection (RASP) and code hardening, as we’ll explain in more detail below.
First, let’s go over some definitions quickly.
How Runtime Application Self-Protection Protects Mobile Apps
Mobile applications represent a large and rapidly growing attack surface. The tools and techniques used to compromise these environments are constantly evolving. Dynamic attacks allow adversaries the ability to enumerate more and exploit applications faster. These exploits can have a hugely negative impact on affected organizations – as well as mobile app end-users.
Runtime application self protection (RASP); is security strategy that makes use of runtime instrumentation to provide advanced detection of real-time indicators of threat and compromise. It does this by taking advantage of information from inside the running application. RASP can provide detection for jailbreaking, rooting, hooking and code tampering, in addition to obstruction for debugger and emulator attachments. In other words, RASP provides runtime detection for attacks.
Not all RASP solutions are created equally, however, so it is very important to understand the must-have features you are looking for. Top vendors offer RASP libraries that help prevent a huge array of dynamic attack vectors by providing both detection and obstruction for indicators of threat, including:
-
hooking
-
jailbreaking
-
rooting
-
code tampering
-
debugger and emulator attachments of all types
The protection enabled by RASP ensures dynamic (online) attacks remain infeasible for attackers. It also prevents them from gathering information about the functioning of applications, diminishing their ability to stage more sophisticated attacks.
How Code Hardening Protects Mobile Apps
Unprotected Android and iOS applications and SDKs can be reverse engineered with trivial effort using readily available disassemblers and/or decompilers. Using these tools, attackers can access and analyze the source code of mobile applications.
This allows for a broad range of abuse, including:
-
theft of valuable code
-
cloning of your applications
-
extraction of sensitive information such as API keys and credentials
-
adding malicious code to applications and repackaging them
Code hardening is a broad category that includes several strategies to defend against these types of attacks. Code hardening is an effective way of protecting both Android and iOS mobile apps against reverse engineering and hacking.
Code hardening means strengthening and protecting mobile application code at several levels using multiple layers of obfuscation and encryption. Hardened code is resistant to both automated and manual analysis.
How RASP and Code Hardening Map to the “Mobile Top 10” MASVS
Sophisticated mobile application security providers like Guardsquare can help defend against three of the security risks published in the OWASP "Mobile Top 10":
-
Insecure Communications (M3)
-
Reverse Engineering (M8)
-
Code Tampering (M9)
Guardsquare also helps organizations protect against additional insecurities highlighted in the MASVS using a combination of RASP and code hardening.
Let’s take a look at how this works in more detail.
Mapping Code Hardening to the "Mobile Top 10"
The table below maps code hardening solutions to the "Mobile Top 10" by showing which security risks the software can help defend against. A description of how the software maps to each security risk found in the OWASP "Mobile Top 10" is included.
|
What Code Hardening Protects Against |
|
|
Vulnerability |
Solution |
|
M3: Insecure Communication |
The code hardening measures implemented by DexGuard and iXGuard add additional layers of protection to SSL pinning implementations. These measures cannot correct faulty SSL configuration; they ensure the certificate checks cannot be removed or tampered with, preventing malicious actors from analyzing network traffic through man-in-the-middle (MITM) attacks. |
|
M8: Code Tampering |
DexGuard and iXGuard’s layered code hardening effectively prevents third parties from gaining access to the source code of Android and iOS applications and from modifying it. The applied hardening techniques also ensure the implemented RASP mechanisms (see below) are not removed or tampered with so that they can fully protect applications against attempts to modify their behavior at runtime. |
|
M9: Reverse Engineering |
he multiple code hardening techniques DexGuard and iXGuard deploy make it virtually impossible to reverse engineer applications and gain insight into their internal logic. The combined protection offered by techniques such as name obfuscation, string encryption, control flow obfuscation and code virtualization effectively prevent unauthorized parties from finding and exploiting vulnerabilities in the code, stealing IP or extracting sensitive information from it, such as API keys or cryptographic constants and ciphers. |
Mapping RASP to the "Mobile Top 10"
The table provided below maps RASP solutions to the "Mobile Top 10” by showing which security risks the software helps defend against. Also included is a description of how the software maps to each security risk found in the OWASP "Mobile Top 10.”
|
What RASP Protects Against |
|
|
Vulnerability |
Solution |
|
M3: Insecure Communication |
The first step to address insecure communication is to properly configure all networks. From there, DexGuard and iXGuard's runtime protection mechanisms, specifically root or jailbreak detection and hook detection, ensure key aspects of the implementation are protected against tampering. Both DexGuard and iXGuard add specific RASP checks to SSL pinning implementations to prevent them from being altered or removed. The provided security measures work with the SSL pinning library included in DexGuard (Android), Apple’s native SSL library for iOS, and any third party solution. |
|
M8: Code Tampering |
DexGuard and iXGuard integrate a full suite of configurable integrity checks to protect applications against attempts to modify their intended behavior and alter resources and data. The combined security provided by jailbreak/root detection, hook detection and method swizzling prevention (iOS) ensures apps’ behavior is not modified at runtime. Tamper detection, repackaging detection and certificate checks enable apps and SDKs to detect unauthorized code modifications and to verify the integrity of individual files. |
|
M9: Reverse Engineering |
The runtime self protection mechanisms provided by DexGuard and iXGuard make dynamic analysis of applications infeasible preventing unauthorized parties from gaining insight into their inner workings. DexGuard and iXGuard’s debugger detection prevent third parties from using debugging tools to analyze specific operations by executing and halting the program at specific points. Their emulator checks make sure applications or SDKs are not being executed in an emulator |
On the Build vs. Buy Question for Mobile App Security
Many development teams think they have what it takes to implement detection for dynamic attacks and protection against reverse engineering because there is information available on the topic online. However, most teams are not prepared to build and implement a DIY solution capable of ensuring complete security for mobile apps.
While many teams do have the skills and experience necessary to fix Mobile Top 10 findings M1-M7 and M10, most do not have the specialized experience and know-how needed to defend against OWASP Mobile Top 10 security risks M8 and M9 (Code Tampering and Reverse Engineering). That’s where a best-in-class application security solution can both simplify the path to building a secure application and save teams money.
Not sure it will save money? In a cost-benefit analysis, being proactive about mobile app security is the most cost-effective strategy. Ask anyone who has “recovered” from a major breach. It’s expensive. The average cost per data breach globally is nearly $4 million. In the U.S., that figure doubles to $8 million—again, per incident.
For the level of protection and knowledge achieved when investing in a strong RASP and code hardening solution, the ROI is clear. The investment may run into the tens of thousands of dollars, but it will never touch the $4 million cost of the average data breach.
In summary, only a thoughtful and complete combination of RASP and code hardening is sufficient to secure mobile apps against the full range of attacks outlined in OWASP’s Mobile Top 10 and MASVS. In the majority of cases, it’s best to buy rather than build, and to choose a sophisticated and reliable provider of layered app security. This approach is the best way to ensure apps are fully protected against the wide range of ever-changing attacks.
John Butler - Solutions Engineer
Connect with the author
Other posts you might be interested in
Dexguard
11 min read
| April 17, 2024
Protecting Runtime Integrity with RASP & Threat Monitoring
Read More
Android
21 min read
| April 9, 2024
Webinar Recap: How Android Malware Works and How to Protect against It
Read More
Protection
5 min read
| April 1, 2024
