Comprehensive software reviews to make better IT decisions
Appdome: How to Shift Left Security and Build Secure Mobile Apps From the Start
It’s simply not enough today to pit your traditional application security toolkit against today’s advanced threats, especially those attacks that target APIs or mobile platforms. Bolstering your CI/CD pipeline by introducing more advanced and accurate SAST, SCA, IAST, and DAST will most certainly improve your security posture, but the journey does not end there. There are attacks and use cases that need careful consideration for how you approach security. Appdome believes it has those unknown challenges addressed and can significantly improve your application security program with very little effort from your development and security team, a welcome change from solutions that required a good bit of work to introduce problem-free into your code base four years ago.
Appdome’s technology team, led by Founder and Chief Technology Officer Avi Yehuda, has been delivering enterprise-grade mobile app security solutions since 2016. The company's mission is to "make mobile app defense easier on developers and harder on hackers, fraud, malware, and cheats." Chris Roeckl, who shared an hour of his day with me for this interview, is Appdome’s Chief Product Officer. Chris joined Appdome over seven years ago with deep experience in enterprise mobility, networking, and security. He came to Appdome from Pulse Secure, a leader in mobility and secure access solutions, and before that served at companies including NetScreen Technologies, Fortinet, and AirMagnet, which was acquired by Fluke Networks. Appdome's flagship product is a no-code mobile app security platform that enables developers to add over 300 security features to their Android and iOS apps with just a few clicks. The platform includes a wide range of security features, such as app hardening, code obfuscation, data encryption, anti-tampering, anti-fraud, malware prevention, and threat detection and response. Appdome's customers include some of the leading organizations in a variety of industries, including financial services, healthcare, hospitality, retail, gaming, and government.
Chris shared some of the more advanced attacks in the last couple of years and the work Appdome is doing to provide seamless and intuitive protection to their customers. One of the attacks that I find alarming and ubiquitous are screen overlay attacks, in which a malicious application displays a malicious or fake overlay on top of other legitimate app screens or buttons, tricking the user into interacting with the malicious content instead of the intended interface. This can lead to unauthorized access to sensitive information or harmful actions performed without the user's consent. Appdome offers protection against overlay attacks and other malware by enabling developers or app sec teams to implement specific protections on its platform in just a few clicks or an API call – no coding required. Each protection leverages a wide variety of detection mechanisms embedded throughout the app, and protections can be applied in any combination required by its customers.
For example, a typical customer might implement data encryption and MitM protection to protect customer data at rest and in transit, jailbreak/root detection to ensure the app runs in a safe environment, and code obfuscation to make it more difficult for attackers to understand and modify the code. This can be combined with runtime integrity protection to monitor the apps for any signs of tampering, prevent code injection or memory modification, and create specific protections against harmful hacking tools and frameworks like Frida and Magisk, which are powerful frameworks used by cybercriminals to modify apps at runtime. If Appdome’s in-app protections detect tampering or any other threat, the app will automatically protect itself by exiting and displaying a notification to the user. Appdome also offers a variety of other enforcement or remediation actions for customers who want more control over the user experience when threats are detected.
Appdome was one of the pioneers in offering proactive and defensive protection against mobile malware such as BrasDex, Xenomorph, StrandHogg, and others as well as protections against abuse of mobile app functions such as accessibility service or permission abuse, which is especially helpful in defending against sophisticated threats that mimic human actions or are disguised or concealed within the normal behavior of mobile applications.
Lastly, Appdome uses a technique called "whitelisting" to protect users from accessibility attacks. This technique involves creating a list of trusted accessibility apps that are allowed to overlay other apps. Appdome's whitelisting feature ensures that only trusted apps are allowed to control accessibility services, which helps to prevent screen overlay and other forms of attacks using accessibility. Chris goes on to say that along with covering for detection of these accessibility services, they give developers the power to specify two things within that protection. Firstly, it can display a pop-up message that will give a notification that says, “hey, accessibility services are being accessed… Is this something that you want to happen?” These screen overlay attacks take advantage of accessibility services, such as reading text aloud. Secondly, which is a very attractive capability, it allows the developer to specify access to known accessibility services that are trusted, define them as a whitelist, and give the mobile end user the knowledge that says, “hey, I understand that you're trying to use an accessibility service, but the one that you picked doesn't work with our app because we're trying to keep you safe.”
So how do mobile developers or app sec teams take advantage of Appdome and incorporate it into mobile applications? Chris explained it’s very simple and showed me a very intuitive and modern UI that has noticeably improved since I used it three years ago. It’s a straightforward process:
- Create an Appdome account.
- Add your mobile app binary to your account.
- Select the security features that you want to implement into your app.
- Click Build My App or issue an API call within your DevOps CI/CD workflow and within minutes the app is protected.
Appdome also offers many integrations with popular CI/CD tools, such as Jenkins and CircleCI. This makes it easy to automate the integration of Appdome into your mobile development workflow with minimal disruption to operations.
When we spoke about the future and what Appdome has in store, Appdome shared the power of its Security Release Management (SRM) and Build2Test DevOps platform features and the value they can bring to an organization. Its mobile threat intelligence solutions also provide features that help organizations improve their mobile app security posture, these products are:
- ThreatScope Mobile XDR: Provides organizations with visibility into the security posture of their mobile apps in real time. This includes detecting and responding to threats such as malware, data breaches, and fraud.
- Threat-Events UX/UI Control: Allows organizations to control how users interact with their mobile apps in response to security events. This can be used to prevent users from taking actions that could compromise the security of their apps.
In closing, Appdome is a platform that automates and secures the mobile app development and release process. It provides a centralized dashboard for managing all aspects of mobile app security:
- Security policy management: Allows organizations to define and manage security policies for their mobile apps that can be used to ensure that all apps are protected with the same security features, regardless of the development team or CI/CD pipeline.
- Security testing: Integrates with a variety of security testing tools to provide organizations with a comprehensive view of the security posture of their mobile apps, including testing for vulnerabilities, compliance violations, and performance issues.
- Security release management: Automates the process of releasing secure mobile apps to production by building, testing, and deploying apps with the required security features.
Interview with Chris Roeckl from Appdome, October 2023
After an hour meeting with Appdome, it was clear why Chris mentioned that Appdome is a leader in mobile application protection (MAP) for a number of reasons. Appdome was the first MAP vendor to offer a no-code solution, making it easy for developers of all skill levels to add security to their mobile apps. It was the first MAP vendor to offer a unified platform for mobile app security, anti-fraud, anti-cheat, MiTM attack prevention, and code obfuscation, making it easy for organizations to manage all aspects of their mobile app security from a single platform. Finally, Appdome was the first MAP vendor to offer integration with popular CI/CD pipelines, significantly improving automating the integration of security into the mobile app development process.