Mobile applications have quickly become a part of daily life. People now use apps in ways not imagined possible before. I pay for my coffee with a mobile app on the way to work. If we go out for a family dinner during the week, my husband and I let our kids play their favorite games on our mobile phones while we wait for food to be served. This activity gives us a few minutes of quiet and an opportunity to catch up. A friend even tracks the whereabouts of her teenage daughter by using a mobile app!
Mobile apps are developed and delivered at a fast pace. The 148Apps.biz website (see Resources) reports that over a million active apps were added to the iTunes App Store since 2008. As shown in Figure 1, nearly 7,000 game apps were submitted in March 2014 alone, along with more than 15,000 non-game apps.
Figure 1. iTunes App store submission numbers for March 2014
While these apps bring convenience and enjoyment to users, are they secure and protected from hackers?
The research of IBM Business Partner Arxan determined that among the top 100 paid applications:
- 100% of apps on the Google Android platform were hacked.
- 56% of apps on Apple iOS were hacked.
Among the popular free applications:
- 73% on Android were hacked.
- 53% on Apple iOS were hacked.
See Resources for a link to Arxan’s reports.
Clearly companies need to seek tools and techniques to secure their applications and need to do it quickly to meet the rapid demands of today’s market. An ideal place to start application security testing is early in the development phase. This article provides an overview of IBM's static analysis security testing solution and focuses on new features in version 9.0 that further assist with rapid scanning of mobile applications.
Addressing vulnerabilities with IBM's Static Analysis security testing solution
All editions of AppScan Source before version 9.0 required a connection to AppScan Enterprise Server, which resulted in time that is spent for installation and setup of the product. With the introduction of local mode in version 9.0, this requirement was lifted in AppScan Source for Development plug-ins for Eclipse and Visual Studio. In local mode, plug-ins operate without connecting to AppScan Enterprise Server, facilitating rapid security scanning of mobile applications. The user benefits by the reduction of the time that is required to conduct the first mobile application scans by using AppScan Source. It is worth noting that Worklight applications are developed in the same Eclipse instance that AppScan Source plugs into. The result is a close integration between mobile application development using Worklight and application scanning that uses AppScan Source. The remainder of this article details local versus server mode in AppScan Source and the capabilities available in each mode.
Comparing local and server mode
Local mode in AppScan Source for Development plug-ins facilitates rapid security scanning of mobile applications. In the local mode, users can conduct security analysis with a default set of scan configurations. They can view findings, apply pre-defined filters, create their own filters, view traces, and remediate vulnerabilities. AppScan Enterprise Server is required for the use of custom rules, shared scan configurations, and share filters. AppScan Source for Analysis provides the following additional functions over development plug-ins: reporting, the ability to publish to Enterprise Server, user management, custom rules creation, scan configuration creation, triage, and integration with defect tracking systems. Furthermore, to integrate source code security scanning with build environments during the software development lifecycle (SDLC), users can use AppScan Source for Automation. AppScan Source for Analysis and Automation requires a connection to AppScan Enterprise Server. See Figure 2 for an illustration of local versus server mode.
Figure 2. Local mode versus server mode
AppScan Source for Development plug-ins have an option of switching between server and local modes. However, users are likely to use local mode at the outset of their application security testing programs. As security processes mature within their organizations, users are likely to use AppScan Source for Analysis or Automation, along with a shared AppScan Enterprise Server to obtain the additional functionality referred to above.
Regarding licensing, AppScan Source for Development plug-in products provide the option to use authorized users or floating licenses. This requirement still holds, regardless of whether you employ local or server mode. All floating licenses require a connection to a license server; this connection is required for both local and server operational modes. A license server is not a requirement when you use authorized user licenses that are tied to a host ID and which function as nodelocked licenses.
Local and server modes in action
Steps in this section outline how users select local mode and what’s involved in switching to server mode. I outline some of the differences in each mode and touch upon licensing considerations.
Upon starting the product, you are presented with the dialog shown in Figure 3. In the Use AppScan Enterprise Server dialog, you choose up front between local and server modes. Assume that you choose Do Not Use Server to stay in local mode.
Figure 3. Local versus server mode selection dialog
In local mode, the Security Analysis menu looks like what you see in Figure 4.
Figure 4. Security Analysis menu in local mode
In local mode, the user still needs to have a valid license to use the product. If you are using a floating license, connection to a license server is required. The action in the dialog in Figure 4, Release Scanning License, allows you to release the floating scan license when it is no longer needed.
Figure 5 is an example of what you might see in terms of local filters available for filtering in local mode. This combination is ready-to-use filters and ones that you create locally.
Figure 5. Filters in local mode
Figure 6 shows an example of scan configurations available for scanning in local mode.
Figure 6. Scan configurations in local mode
If you select to start a scan, you are not prompted to log in to AppScan Enterprise Server. Now, using the preference page as shown in Figure 7, switch to server mode. After you click OK, you are prompted to restart your integrated development environment (IDE). After the IDE restarts, you will be prompted to log in to the server.
Figure 7. Preference dialog for Security Analysis
In server mode, the Security Analysis menu is similar to the one shown in Figure 8. Note the Change Password and Log Out from Server options that are now present in server mode. In server mode, a floating scan license is released implicitly when the user logs out of the server.
Figure 8. Security Analysis menu in server mode
In server mode, users see that the filters and scan configurations that are listed in Figure 9 and Figure 10 are available to filter their findings and to scan. Note the highlighted shared ones that are now available in server mode to all AppScan Source clients that connect to the shared Enterprise Server. Shared filters and scan configurations are not available in local mode.
Figure 9. Filters in server mode
Figure 10. Scan configuration in server mode
As mentioned earlier, scans done in server mode use the custom rules that are shared in AppScan Enterprise Server. Custom rules are not available in local mode.
A quick mobile scan using AppScan Source for development
In this example, the user installed the AppScan Source for Development plug-in in her Eclipse environment where the Worklight plug-in is installed. Installation of the AppScan Source plug-in into Eclipse is quick and completes in a few minutes.
I will briefly show you the results of scanning a mobile application that is created as a Worklight Eclipse project in local mode and the tools available to locate and remediate the findings.
After you create a project and it is ready to scan, you can select a scan configuration by selecting Security Analysis > Configure Scan > Security Scan Configuration. In this case, I selected Quick Scan as shown in the dialog in Figure 10. Since you are in local mode, you have access only to ready-to-use filters and any custom filter that was created.
Next, start a scan of the entire Worklight project by right-clicking on the project and selecting Run Scan. Once the scan completes, a Security Analysis perspective similar to the one in Figure 11 is displayed. With various tools in this perspective, you can zero in on findings in your source code and remediate.
Figure 11. AppScan Source Eclipse views
In the example in Figure 11, I double-clicked a Data Leakage vulnerability in the Findings view. In the Trace view, the root note indicates that this vulnerability originated from line 18 in the source code, which is also opened in the editor at that line. The Remediation Assistant view provides you with information about a vulnerability and about why it is insecure; it also suggests ways to eliminate the vulnerability.
Figure 12 shows how to filter the vulnerabilities found by using, for example, the OWASP Mobile Top 10 Vulnerabilities filter. After you apply the filter, the number of findings is reduced to 29.
Figure 12. Filtering of findings with OWASP Mobile Top 10 Vulnerabilities
The solution that is described is flexible in that a user can use AppScan Source for Development in local mode for rapid security testing. To obtain this additional functionality, the user can choose AppScan Source for Development that is connected to Enterprise Server for shared filters, scan configurations, and custom rules. Optionally, you can use Source for Analysis along with a shared AppScan Enterprise Server to do reports, publish to Enterprise Server, manage users, create custom rules, create scan configurations, do triage, and integrate with Defect Tracking Systems. It is also worth noting that AppScan Source for Development 9.0 in local mode doesn't use a database such as IBM solidDB®. In addition to local mode, AppScan Source 9.0 strengthens its mobile story by introducing Eclipse plug-in support on Mac and integrates with IBM Worklight in the same Eclipse instance.
- For additional information about mobile security and the AppScan 9.0 release, my colleague Neil Jones has an insightful blog about the state of Mobile Application Security that I encourage you to read.
- To learn more about local/server mode in AppScan Source 9.0, see the IBM Knowledge Center documentation.
- For 148Apps.biz reports, see “Count of Application Submissions” on the 148Apps.biz website.
- To learn about the research of IBM Business Partner Arxan, visit the Resources page on the Arxan website.
- Visit the Security on developerWorks community to find more how-to-guides, articles, videos, and demos our community resource library.
- Visit the Security on developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Sign up for the weekly Security on developerWorks newsletter for the latest security headlines.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.