IBM attacks app design to bolster mobile security
Extension of IBM AppScan tailored for testing Android OS apps before they are released to get ahead of the mobile malware curve
By Antone Gonsalves
June 05, 2012 — CSO — The place to start to bolster security in mobile applications is in the development stage. Catch and fix vulnerabilities then and the final product will be more difficult for hackers to penetrate.
IBM on Tuesday unveiled software specifically tailored for testing apps that run on Android-powered smartphones and tablets. The new product is an extension of IBM AppScan, formerly called Rational AppScan.
Until now, testing tools used in building client-side software that run on a personal computer are incapable of evaluating flaws in mobile applications. One reason is mobile platforms often use languages specific to the environment. Another is that the testing tools have to understand the mobile framework, including the application programming interfaces (API) used to support the software.
[See also: Mobile leads in malware resurgence for 2012]
IBM said it has addressed these requirements.
"The pitch we've been giving, and many people have been giving for years now, is do lots of scanning and do it early in the development lifecycle, because it costs you less to fix problems," Caleb Barlow, director of application, data and mobile security at IBM, said.
IBM's product goes beyond competing software from Veracode and Cenzic by testing the application source code that runs on the mobile device and the services that software talks to on the backend. These two types of testing are often referred to as static and dynamic, respectively.
"At this point, what is unique with IBM's solution is the combination of static and dynamic techniques applied at the same time, which is really the best way to test a mobile application," Gartner analyst Neil MacDonald said.
Mobile applications are not new, but vendors are just starting to develop tools that address the uniqueness of the software, MacDonald said.
"What's new is the realization that these need to be tested every bit as much as any other enterprise application," he said. "And that the testing tools that [companies] currently might have are not well suited for testing mobile applications."
Vulnerabilities that occur as a result of developer mistakes include an app's mishandling of encryption keys or personal identifiable information, MacDonald said. Mistakes are often made in developing against APIs, so the app exposes too much information.
IBM has integrated AppScan with Q1 Radar, the company's security-event management product. Acquired last fall with the purchase of Q1 Labs, Q1 Radar collects log data from applications in production and watches for events that would indicate a possible attack.
While such products are useful in defending against hackers trying to penetrate a corporate network, the integration between Q1 Radar and AppScan are likely a nice-to-have versus a must-have by most companies, which prefer to fix vulnerabilities as they are uncovered.
"[Companies] tend to prioritize based on the severity of the vulnerability and the type of information that might be exposed, not from what they are seeing on Q1 Radar," MacDonald said.
Mobile app testing will be available Monday in the Source and Enterprise editions of AppScan.
Read more about application security in CSOonline's Application Security section.