Mobile Application Security Testing (Mobile AST) as A Service as E-SPIN service for the customer who look for various Mobile Application Security Testing as part of the enterprise security assurance (SA) or routine security assessment prior for the roll out to the internal user or public mass consumer users audience.
Depend on the audience and how critical for the mobile application, it usually fall under the mobile application security lifecycle (SLC) life blow.
Developer – QA/SA – Security – Operations
For developer more interest on the implement of the IDE plug in to scan the mobile app code while they develop the code, or while entire mobile app project is complete and scanning thru as mobile app project to make sure all the security and vulnerability highlight is fix them, before passing over for the QA/SA or Security check (depend on the enterprise internal way for division of work). Another area of security concern is software composition analysis (SCA), in particular mobile app development project make use of 3rd party module, libraries or plug in, where developer do not had source code.
For Security or Operations client more interest for mobile application security testing (AST) based on final binary said in iOS .ipa or Andriod .apk . Depend on the specific objective, it can be either mobile dynamic, static or behavior analysis or all three. Static analysis is focus on performs analysis of the binary to identify security weaknesses. Dynamic analysis focus on executes and monitors the mobile application interactions with the filesystem, network and APIs to detect any vulnerable behavior. Behavior analysis focus on performs guided fuzzing to detect malicious that can exploit a vulnerability in the mobile application and backend servers.
For a lot of case and scenario, due to manufacturer require volume of licensing but enterprise customer do not had that ongoing volume, or just for the one off or few project requirement, E-SPIN mobile application security testing (mobile AST) as a service may be viable solution, just outsource the portion of the service work require, where E-SPIN will make use of the commercial license tool to perform the scope of service work required in more economic and scalability manner.
E-SPIN Mobile AST as a Service Option
E-SPIN at the moment provide following Mobile AST as a Service offering (please check back from time to time, as technology keep advancement, so do the option offering will be update):
- Mobile Application Source Code Scanning and Report as a service. Supported platform:
|iOS||Xcode 4.x-9.x (LLVM)|
|Xamarin||Visual Studio 2012 and later/ Xamarin Studio/ Mono 4.x|
|PhoneGap/Cordova||PhoneGap or Cordova|
2. Mobile Application Software Composition Analysis (SCA) Report as a service. This service is possible to run as “add on” to the Mobile Application Source Code Scanning and Report as a Service only.
3. Binary Apple iOS or Android apk mobile application static, dynamic and behavior analysis and report as a service.
For customer and client had interest on the above Mobile App AST as a Service, feel free to contact E-SPIN for the requirement and quotation.