Introducing Free Mobile App Security Testing for iOS developers

The number of available iOS apps has grown consistently over the years, reaching more than 2 million apps in 2023. The App Store generated over $86B in revenue in 2022. Unfortunately, such large numbers naturally attract attackers seeking to find and exploit mobile app vulnerabilities.

There is a perception amongst iOS developers that iOS apps are more secure than their Android counterparts. However, reality does not bear this out. A recent study by Symantec found that more than 1,800 publicly available iOS and Android apps leaked AWS credentials. 98% of the apps leaking credentials were iOS apps. When it comes to mobile app security, many developers mistakenly equate platform security (the mobile device and OS) with the security of the app itself. The truth is that an unprotected mobile app is still vulnerable - even if it is running on the most secure platform. These unprotected mobile apps can lead to data breaches, unauthorized access, financial losses and even customer churn. To ensure your iOS app remains resilient against potential attacks, it is vital to conduct robust security testing prior to deployment.

This blog highlights the importance of incorporating Mobile Application Security Testing (MAST) into the development process as early as possible. It also discusses the benefits of adopting security frameworks to effectively navigate the findings. Finally, it discusses AppSweep, Guardsquare's free MAST product, and its new capability for scanning iOS applications.

The importance of mobile app security testing during software development

MAST is the process of identifying security vulnerabilities in mobile apps. Traditionally, app publishers have relied on penetration testing to check their mobile app security. Penetration testing is typically done at the end of the development process, by a third party, and can be expensive. Hence it is done very infrequently (on a yearly basis or when a major release is introduced into the market) and usually only to meet regulatory requirements. This practice is insufficient to meet the security requirements of mobile apps that have increasing complexity, may have weekly or monthly updates, and a schedule not tolerant of security risks uncovered late in the process. Pentesting usually requires a significant amount of time to complete. Failing a pentest, having to implement remediation measures and then repeat the pentest can significantly impact project schedules and costs.

A more efficient approach is to integrate MAST early in the development process, a practice known as shifting security left. With MAST, security testing is done continuously as the app is being developed. This approach has a number of benefits, including:

• Security issues are found and can be fixed earlier in the development process when they are easier and quicker to address, resulting in little to no impact on schedule and in potential cost savings.
• Prevents security issues from turning into severe vulnerabilities exploited in the wild.
• Increases the overall security awareness of the team, preventing issues from being introduced in the first place.
• It helps improve the overall security posture of the app.

OWASP and leveraging standards for mobile app security testing

Leveraging security standards like Open Worldwide Application Security Project (OWASP) provides two key benefits for development teams. The standards provide teams with a framework to develop and implement their security strategy and leverage the expertise of a large number of security professionals who are totally focused on mobile app security.

OWASP has developed a number of mobile app security testing tools and resources. These include the Mobile Application Security Verification Standard (MASVS) which provides guidelines on what security controls developers should adopt, and the Mobile Application Security Testing Guide (MASTG), which provides recommendations on developing a testing strategy for them.

Mobile application security testing with AppSweep

AppSweep is a free MAST product that helps developers find and fix security vulnerabilities in their apps. Launched more than 2 years ago, AppSweep uses a combination of analysis techniques to find vulnerabilities in an app’s code and dependencies. It has an intuitive interface, provides actionable recommendations to fix issues quickly, creates reports to let developers inform security teams about vulnerabilities, and integrates seamlessly into DevOps pipelines. Findings in AppSweep are grouped according to well-known criteria, such as security severity and OWASP MASVS categories, to make it easier for mobile developers to navigate through the issues and prioritize fixing.

New iOS scanning capabilities in AppSweep

The most recent release of AppSweep introduces support for iOS applications. This includes testing for common vulnerabilities with iOS apps, such as:

• Detecting use of insecure randomness: AppSweep checks if your app uses the secure methods provided by the Apple randomization API to avoid accidentally using cryptographically insecure methods for random number generation.
• Detecting insecure networking API calls: AppSweep checks if your app disables App Transport Security (ATS), or makes use of low-level networking APIs that are not covered by (ATS).
• Detecting usages of LocalAuthentication: AppSweep checks if the LocalAuthentication framework is used in your app. This should be avoided especially in sensitive use cases such as payment or authentication with a remote service.
• Detecting insecure or deprecated cryptographic algorithms: AppSweep checks your app for usages of common insecure or deprecated cryptographic algorithms, benchmarked against the OWASP MSTG iOS test cases.
• Detecting hardcoded passwords or salts being used to generate keys: AppSweep detects if weak cryptographic keys are being used.
• Detecting enabled logging: Log messages in the code itself can give malicious attackers a lot of information about what is happening in your app, thus easing the reverse engineering process.

Testing your iOS mobile app with AppSweep is free and easy.

• Visit the AppSweep web page and create an account
• Upload your iOS app's IPA or xcarchive file with debug symbols included
• AppSweep scans your app without a need for manual interaction. In less than 2 minutes it will show you the detected security vulnerabilities and recommended fixes.
• Navigate through the findings and resolve the issues using the actionable recommendations provided
• To get the most out of AppSweep, we recommend regularly scanning new builds of your iOS app to detect and resolve new vulnerabilities.