Amid high enterprise demand for mobile apps, Avast's App Triage Program provides a free security assessment on both the front-end and back-end of mobile apps, ensuring vulnerabilities are caught and corrected
Avast Mobile Enterprise, a division of Avast Software, maker of the world's most trusted mobile security software, today launched the Avast App Triage Program, a free service that will help enterprise security teams and mobile app developers locate and diagnose exposures and vulnerabilities within their apps. Utilizing Avast Mobile Enterprise's deep expertise in security-testing, the program will locate exposures on both the front-end and back-end of in-house custom Android mobile apps and third-party apps in Google Play.
Due to their extensive use within enterprises, mobile apps have become an attractive target to cybercriminals. Developers generally design enterprise mobile apps with usability in mind, and security as an afterthought. Although helpful for the user, the focus on usability increases the potential for flaws and vulnerabilities within the apps that can be actively exploited. Additionally, the ongoing discovery of security flaws in the two most popular mobile operating systems, such as QuadRooter in Android and Trident in Apple's iOS, demonstrate larger-scale security weaknesses in the mobile app environment.
The Avast App Triage Program stems from the Avast team's deep expertise in security-testing hardware and software, and its current focus on secure mobile app deployment. The program aims to provide companies with valuable vulnerability information by conducting a full security audit of mobile apps. Once an audit is complete, the program delivers a report outlining known security flaws and vulnerabilities, the severity of the flaws, and how to best protect them from being exploited. The identified flaws correlate with those outlined by the OWASP Mobile Security Project, which includes lack of account lockout, vulnerability to reverse engineering attack, authentication bypass, hardcoded passwords and other sensitive information, as well as insecure storage and insecure configurations.
"Each mobile app is unique and different in any environment, and becomes more diverse or complex as it is adapted to specific organizational needs," said Sinan Eren, general manager, Avast Mobile Enterprise, and vice president, Avast Software. "Even third-party apps are often tweaked during enterprise implementation. To combat these changes and mitigate the vulnerabilities, we developed the Avast App Triage Program — to help organizations better protect their brands and bottom lines from exploits."
Avast Mobile Enterprise security researchers will look for a wide range of Android mobile app coding and configuration flaws including:
Security of SSL/TLS Deployment — Identifies issues in SSL/TLS including man-in-the-middle detection, certificate pinning, transport layer security extensions and configuration options, certificate authority root validation, and incorrect use of embedded certificates and private keys.
Insecure storage of sensitive information — Assesses the handling of stored personal and private information by apps and APIs connecting apps to back-end servers.
Insecure uses of cryptography — Evaluates the security of the deployment and underlying cryptographic algorithms in mobile apps in-transit and at-rest.
Insecure Server API Authorization/Authentication mechanisms and credential storage — Identifies flawed, non-existent or weak authentication methods that expose sensitive user information.
Server API Web-related vulnerabilities — Identifies common web app vulnerabilities present in back-end/cloud services connected to the mobile app including SQL injection, cross-site scripting and cross-site request forgery.
To register for the Avast App Triage Program, please click here.