Appdome: Streamline Cloud Testing of Cybersecurity Features in Mobile Apps

Video Transcript

hi my name is Karen and thank you for joining today’s session on streamlining Cloud testing of secured mobile apps a little background on me I’ve been testing apps for over 30 years I started testing apps when I was working at an Enterprise application integration company so I was testing a lot of Erp and CRM apps and the combinations of them and I’ve been at apom for about three and a half years I started a fraud detection company years ago and found the importance of fraud prevention that’s why we became part of appdome and have been here working on securing mobile apps and now ensuring the testing of them the tosod of them so today we’ll discuss a number of things the first is we’ll start off with definitions what is security testing versus testing apps with security then we’ll go into the challenges of each how to streamline the testing of apps with security we’ll talk about that and then what’s the benefits of what are the benefits of doing that we’ll go through a case study uh demo and then finally end up with the community and what we’d like to work with you on so to start off with what are the definitions what is security testing versus testing of security features so security testing is about detecting vulnerabilities in app U identifying what the weaknesses are in the code or in the configuration and there are a lot of companies that do this kind of testing um for mobile app security specifically they’ll be called Mast or mobile app security testing vendors you’ll also hear about SASS and dast vendors so companies that do static application security testing or dynamic application security testing and that is vastly different than testing secured apps or validating that the app is functioning as expected after security has been added to the app and that the app works across thousands of mobile app devices and Os versions so security testing versus testing apps are different and they also have different challenges but in terms of security testing there are a number of organizations like oosp and others that you see at the top here mist and other organ gations that provide standards for security testing and they provide guides such as you see here like the mobile application security testing guide that help testers and organizations understand what their security standards are and and what testing is required now for example um there are a number of items that these organizations propose uh we need to follow or companies need to follow in order to securely um test and secure their apps and as an example one of the areas is for network security and in this case um we’re highlighting is one of the items is for the app to secure all Network traffic according to the current best practices so these organizations will outline what the specific best practices are for example ensuring data privacy and integrity of any data and Transit is critical for an app that communicates over the network and that you can do that by encrypting the data or authenticating the remote endpoint so using these standards organizations will often do an assessment or security test where they’re identifying all the weaknesses or vulnerabilities in the app this is an example of an assessment that appdome does for customers um when asked and for free and and this is something where we identify the risks Within the app uh and provide a risk profile now the challenge with security testing in devops and this is traditional uh vendors who offer security testing uh and then the customers that they work with will come to a conundrum they’ll come to a fork on the road where after they’ve detected the vulnerability so basically they identified a bunch of issues and now the developers have a choice to make do they go and refactor the code and make the fixes and changes that could take weeks or longer or do they waver the issues away and allow them to proceed with the release on time but then have apps that are in production that are at much higher risk and at much higher risk of attack so this challenge here not only is uh in the early part of the process where the IAL build is made and the security testing is done on that initial build it also happens later on when there’s retesting of the app or the app is out in the wild and uh there are issues that are found there so what abdom um is proposing is a different process and that is to really address the building of Protections in early and automating those Protections in so that the developers don’t have to code they don’t have to make those fixes manually and they have an automated process for making those fixes now the challenges with testing secured apps is that there are many different combinations of secured apps so once you have say built those Protections in in an automated way using appdome the challenge is now how do you test that those protections are in there and the app still functions as expected the challenge is now for the tester many different combinations of os’s and devices and all the different features that are in the apps and testing those different combinations and so let’s go into these challenges a bit more um those challenges include the fact that the methods that testers use often violate security policies so these methods include using emulators virtualization and other services these are the same services and tools that hackers use and therefore will trigger active security features in the app now the other issue is friction in testing slows down releases because the handoffs uh from one environment to another for example organizations will have one environment for testing unprotected builds versus is another one for testing protected build so handing off between those environments can cause friction and finally the last challenge here that we’re talking about is integrating with the devops pipeline in order to automate Cloud testing into cicd workflows and into the devops flow organizations need to have or the systems need to have compatibility with those cicd workflows and all this say systems so let’s go into the methods that could violate security policy so on the left hand side are common tools that are used in automated testing services on the right hand side are ways that these same tools are misused by hackers so let’s start with emulators so emulators are often used in testing to simulate different device environments allowing for extensive application testing with the need for physical devices now on the other hand hackers will use emulators to analyze and exploit app vulnerabilities in environment without risking actual devices testers will also use virtualization which enables them to run multiple instances of mobile OS environments to facilitate parallel prep testing across different configurations unfortunately hackers use the same or virtual environments to obscure what they’re doing test malware or reverse engineer apps without detection testers will use debugging to do real-time monitoring examine code execution to identify and fix bugs in the testing phase unfortunately hackers will use debugging tools to understand how the app works identify weak points and craft exploits testers will use resigning which involves signing the app with a different certificate to allow modifications or insertions of testing Frameworks but hackers will use um resigning with fraudulent certificates to inject malicious code or distribute Conor Visions uh versions testers will use dual spaces to allow for running two instances of the same app simultaneously for testing different scenarios or versions but hackers will exploit dual spaces to run and modify apps in a sandbox environment and allowing them to bypass detection and finally testers will use Freda for modifying app Behavior especially for testing vulnerabilities and this is at runtime whereas hackers will use Freda to inject malicious scripts bypass security checks or manipulate app functionality so what we’re trying to share is a number of examples of where testers will be using tools for legitimate purposes which is for test automation or for testing but hackers will use the same types of tools if not the same tools themselves to exploit at vulnerabilities and to compromise mobile apps so what we want to address is a new approach and that is with appdome you can not only streamline the security testing and uh and and Remediation because you have automated remediation but you can also streamline the test automation of secured apps so that is possible because appdome has plugins or Integrations with each and every one of the cicd systems that you see at the top here whether it’s GitHub jenin skit laab Azure devops we have a plugin so that your organization can plug into the devops pipeline for automation uh for remediation and for testing Automation and with uh the same uh concept of plugins appdome has an integration with Caton so that after the remediation is done after the security protections have been automatically added to the app Katon can be used to run the automation for the testing of the secured app and we’ll show you how this works so to go back to bitrise as an example bitrise is one of the mobile specific cicd platforms and here is a workflow um as part of that workflow what you would do is set the fusion set ID which is basically the configuration for a specific security rule set um a specific set of protections that need to be added to the app so you can automate that as a step in this process you know where you first would build the Android app and then you would add the protections with appdome and then you would execute the automation test with uh Katon before then deploying to uh to your end users so how does this work how does this process of securing uh or automating the secure uh the testing of secured apps work well that works because abdome has developed a trust model where we are able to recognize when the mobile app testing Suite kobiton is in use and allow the automated testing through Katon for example without interruption and this means abdome also has service logs for all security events triggered so that developers can track and monitor all the mobile app defenses in in every part of the release cycle and finally abdome allows you to visualize that this testing is working through uh threat scope which allows you to see these events so the benefits of streamlining testing of secured apps include for first of all faster ontime releases so having fully automated testing of secured apps includes testing for all devices o verions in every release you’re able to also reduce friction in the devops pipeline because you’re able to eliminate the need to test protected and unprotected builds separately and not have to have different environments for protected and un unprotected builds and their testing you’re able to automate that integration into the cicd your also able to visualize the test data um and continuously protect and automate throughout the development life cycle because apom ensures that security measures comply with the industry standards and regulations like gdpr hippo and others and finally with this new approach and this methodology you’re able to scale and evolve so they testing scales with the apps in the uh in your organization as it grows accommodating new security features and testing without changes to your workflow so let’s talk about a case study uh appdome has worked with FIS and this is where FIS uses the appdome platform to automate testing so to automate first remediation and add protections to the app in an automated way and then second automate the testing of those secured apps and we do this all uh or FIS does this all in the bitrise devops pipeline and they do this for their credit union and banking customers if you don’t know who FIS is FIS processes trillions of dollars worth of payments annually a part of that comes through their mobile apps and appdome secures those mobile apps without coding or sdks and this is really important because it enables FIS to protect all their apps from reverse engineering Ing and tampering without having to have a separate engineering team or a separate security and um devops Team to handle all of the features that need to be added all the security features that need to be added to the app and all the testing that is required to make sure the app still functionally works after the security features have been added now why this problem where this challenge come about of um needing to automate security uh and automate the testing of secured apps well it started because as FIS shifted left it found it created many tasks for engineering that engineering simply could not handle there were a lot of issues um in the black backlog that the engineers could not address FIS knew that they had a lot of challenges to address in the marketplace in terms of risk uh especially given the increasing fraud uh risk and the increasing technology uh advancements especially around AI where hackers are able to create malware create attacks faster and more sophisticated than they were before they knew they needed to have a way to defend the app um without having to be a burden on development and with the abdome solution and this ability to automate testing fi has continuous detection defense and control and allows them to not only have a continuous record of mobile app security but also monitor fences and threats in the future impacting mobile apps and enable them to prioritize and respond to new attacks and threats in a timely manner so what I’m going to do now is show you a demonstration what I’ll focus on is the parts after the build has been created and after the security testing has been done will add the Protections in and will build a version of um the app for testing specifically so that you can test in say Katon or other um systems and so as a um reminder what would usually happen is there’s some kind of security testment a security assessment or security test that is performed and that would identify a number of issues for example API keys or secrets in the clear or secrets that need to be protected um that’s one issue another issue is there are insecure connections uh in the app and and those uh connections need to be secured so or blocked uh if they’re insecure so this goes back to the standard where you will have the objective of securing all Network traffic according to the current best practices and an abdome one way that we do that is to block non-esl connections um for example in Android apps this is one of the ways that we handle that issue and so I’m just going to go ahead and show you how that works so oops Switching gears a bit here is the appdome platform and what you can see on the left hand side are the apps and so what customers will do is or what companies will do is load their apps and you’ll see them loaded on the left hand side whether they’re iOS or Android apps and then on the right hand side you can select one of these apps to then build in the protections and so going back to example of let’s say there are secrets that need to be protected that are in the app API keys that need to be protected then you would simply click on data rest encryption and this is where then you would click on encrypt in apppp preferences encrypting strings and resources and that would ensure that that data those API keys or those secrets are protected now let’s say you have that other issue where you have um the need to protect the connection between the app and the server or to block non SSL connections or insecure connections this is where then you would click on Android M the midal prevention and see that blocking non-ssl connections is part of that once you have selected the protections you want an apto has over 300 protections that we are supporting and con constantly updating so that wherever the the issues are whatever the hackers are doing now or in the future we’re constantly updating them then you can choose from those thir different protections select the ones that you want or call the API because everything that I’m doing here can be done through a API call and then you just hit build my app now you would build the app if it goes into production or you can select build to test which would allow you to create a version that is for testing purposes for automated testing purposes and as you can see here Katon amongst other um Solutions are out there for the customer to choose or for your company to choose so once you hit build um to test it creates a version and now you’re able to use this in your test environment so um so let’s go to Katon for example and you could see um we have loaded the app here for testing and I can use um the Caton environment to select the device that I want to test this on I’m going to try this on an old uh older device and um and test this uh for example

on the

Galaxy Note 5 and this is where I can load this session um once the session is loaded I can go in and install the app

and when I install the app I will see some messages come up and these messages will show the error messages that we are protecting um the app so you can see here groupo detected an untrusted connection I will go back to the presentation so you can see this in slow motion so what you’re seeing here here um in the demo I took a screenshot here so you can see it more clearly there’s a notification here or a message here saying the app detected an untrusted connection and this was because we had in the app the the protection block non-ssl connections so the app is saying because of abon’s protection for your protection please switch networks close and reopen the app and it will reference the particular URL that was used so if you go to this URL you’ll see that it is not a secure connection and and so abdome is doing what it’s supposed to be doing which is closing the app and so it’s able to do this through a number of things here that you see um in the platform first is we use use the platform to add the protections for example blocking non-ssl connections or encrypting data um we are able to select those features and add them in and build the Protections in in minutes instead of weeks or or longer with developers hand coding uh so that’s the advantage of the abdom automation the second piece is we’re able to create a document which shows the protections that have been added by who and when and then what I’ll show you next or what you saw just now is the notification around the eror the um security event happening um which looks like an error message but it’s it’s a event notification which shows you hey the app is working as expected which means it is protecting the app against an insecure connection and it will close the app not shut down but Clos the app so that the crash free rates remain high and and that notification can be customized by security person or the developer um and then finally what I’ll show you next is seeing these events in a monitoring environment um for example our threat scope and so for this last piece I’m going to switch back to the

demo and show you this last piece where

uh we are able to see

in the monitoring

environment U these test events so this is the abdom monitoring environment it has both the testing view as well as the production View for the testing part I’m just just going to show you what that looks like since we were talking about that um earlier and I will select the build to test view so I’m selecting a specific filter or view of the data it’s just for build to test events I’m going to go to the specific app the groupo app that I was testing and to do that I will again scroll down to the filters here and and on the filter for the bundle ID I will search or Rio type that in select just that one and oops

uh okay un select all and just select groupo so now I only get the groupo data and this is now where I can see for the abdome defenses and I could just highlight the ones in

green I can see that I have indeed protected against nonell connections as you see here now just to Orange you orang you to this view here what you’re seeing is the attacks um and this is seeing that the in this case the testing of the app as it tried to connect to an incc connection is occurring in this geography here um and I can click on the events that abdom is protecting against as well as the the attacks that abdom has not protected against yet and May and you may want to or the organization that you’re working with may want to protect uh later so this is where I’m going to switch gears and now say okay let’s say I’m not doing build a test I have released my app so I’m going to go back to the presentation for a second um and wrap up the demo here the value what we’re showing is we’re able to to show you testing but also once the app is deployed and is now in production you can use the same tool here with a different filter so I’m going to take out this filter and clear it by clicking on all data so now I’ve switched filters from the testing filter and now to the production filter so this is looking at all data and if I were to look at all anonymized

data I can see where all the attacks are coming from by geography I can see all the attacks that apom has defended against but I also can drill down into the attacks that have not yet defended against because they’re new or my organization has not decided to protect against these threats yet because they weren’t deemed as critical until now where I can see that Android debug Bridge has become a much larger issue for example and that’s where I would go um back to oops uh back to appdome without saving and I would click on the app that I want to protect for example groupo and I would go and find the protection that needs to be put in place and that would be Android gabridge and simply click on that and add that to the next release so what appdome allows you to do is really have that full cycle of protection whether it is in building in the protections as part of the release process to then monitoring these protections once they’re in the wild now through this process abdome is able to not only protect or add the Protections in automated way but also um through Caton test in an automated way and complete that cycle as you go back again and have a continuous security model so in terms of next steps what I encourage you to do is first try it sign up for a free trial or see me or contact me for a custom trial where we walk you through that you please also see and learn from uh and join our community where we share information from our partners for example our penetration testing Partners as well as share the best practices from our customers I also encourage you to learn um and hear more about how our pestilent testers have tested um abdome and validated the security protections work so go to our website sign up as you can see here on the far right hand corner join our community we have a number of webcasts and materials spec in specific topic areas whether it’s around um Android rooting um and uh protecting against SSL pinning byass or protecting against Freda as well as hearing from our customers like FIS talk about about best practices in digital banking or other customers as you see here in this webcast um with an analyst who used to work at City group and then finally see our collateral and our knowledge-based articles on appdome these are a couple of examples around social engineering and fraud detection and finally um take away agile Dev SEC Ops into your organization and achieve a whether it’s reducing manual testing and freeing testers time to focus on more complex tasks um having automation so you can fully automate testing of apps in all devices OS versions without interruptions um have Readiness by improving test coverage ensuring the app is more thoroughly tested ensure resilience and make sure that the app is protected through protected through testing and development have optimization and reduce the time it takes to test an app and finally have scalability whether it’s testing um scaling as your testing changes as your organization grows or accommodating new security features and testing without having to change the workflow thank you very much for your time and I look forward to meeting you and speaking with you please do not hesitate to reach out to me whether it’s via email or connecting with me on LinkedIn thank you and speak to you soon all right so we do have um several questions that have come

in let’s

see hello hi all right uh okay so we have um our first question how can security testing be adapted for cloud-based applications and services considering the unique security considerations and Architectural differences that came in from vishall okay yeah so like we talked about um there are a number of systems that are being used for um automating Cloud testing and so um as an example if you’re integrating into gitlab GitHub or so forth um we have plugins abom has plugins so that you can integrate the security um remediation into those cicd systems those different various cicd systems and then as well well we are integrated in the testing automation piece with kobiton but also other test automation systems so we’re flexible to whatever environment you have today and and in the future great our next question is can we integrate abdom with gitlab absolutely so we have a pre-built integration to gitlab I can send you that if you just um I can put a link here later on maybe but um we have a knowledge-based article on how that integration works and I also have a video where we show you how you can configure gitlab your gitlab environment to call what we showed earlier which is a fusion set that you create in apone so it’s basically a security rule set that you just call over and over again um or change and have that called over and over again okay great well we’re running out of time already that was an excellent presentation we can answer the rest of the questions by text and you can also see Karen over in the Expo Booth um if you have additional questions that we did not get to here so um thank you so much Karen great talk thank you thank you carara all right you all take care