Discover insights from leading mobile app security experts | Promon

10 things to consider when comparing mobile application security solutions - Promon

Written by Caner Kaya | Jan 17, 2025 12:23:52 PM

Learn how to evaluate the different app shielding solutions on the market — and what it really takes to secure your mobile app.

So, you’re done with penetration testing. Maybe you’ve even done some mobile application security testing (MAST) and now it’s time to consider some mobile app security solutions. But how do you identify the best fit for your application?

Well, your first stop might be finding out what the independent analysts have to say.

Gartner recommends adopting application security technologies that enable developers to build apps in their preferred tools and workflows, test them for security and privacy vulnerabilities — at speed — and easily remediate security bugs so release schedules can still be met. Similarly, Forrester notes that “application security must be strong, vigilant, and nimble”. 

Of course, there’s a lot more to consider beyond that for developers and security professionals alike. So to help you assess the different mobile right app security solutions, we’ve created this handy mobile app security checklist, with 10 key considerations.

 

 

1. Runtime application self-protection (RASP)

In a nutshell, runtime protection helps prevent security breaches when your app is in use. It actively monitors the app for suspicious activity while it’s running, so it can detect and respond to potential threats in real time. 

Runtime protection tools continuously analyze the application’s behavior for signs of trouble. If they detect something unusual, they can take steps to stop it. This can include blocking malicious actions or alerting security teams.

That said, note that RASP has to be executed on the target device running the application, and with some solutions, that can affect the application’s performance (as in the speed at which it runs).

 

2. Code obfuscation

Code obfuscation is a critical component of almost all app security and copy protection tools, without which, the application or security code is transparent, easily understood, and as a result, relatively easily modified. 

It involves concealing or disguising non-generic aspects of the application’s code to frustrate or delay malicious actors in their attempts to understand how that code works. In simple terms, this makes it harder for them to understand and reverse-engineer the code, and so enhances the app’s security. 

To make things a little less simpler, consider that there are different levels of code obfuscation, and you need to choose the right one for your app.

 

3. Encryption

Encryption ensures that sensitive information, which includes non-generic secrets and user data, is hidden from unauthorized access. It does this by turning plaintext data into cipher text, which conceals the original content. 

Data is converted into a scrambled format that can only be deciphered using the appropriate decryption key. This prevents unauthorized users from viewing or tampering with it, and protects the confidentiality and integrity of the data.

Encryption can be applied at different levels: The network layer, the transport layer, the application layer, or the data layer. To apply encryption, you need to choose an appropriate algorithm (AES, RSA, or ECC) and a suitable mode (CBC, CTR, or GCM).

But wait, there’s more! Encryption can be symmetric, which means you can encrypt and decrypt the data with the same secret key. Or asymmetric, which means you can encrypt and decrypt using a public and private key pair. 

Symmetric-key encryption is fast and suitable for bulk data processing, because everybody with access to the key can decrypt the encrypted content. But that also means you have to have centralized control over key distribution, and careful key management is critical.

Asymmetric-key encryption, or public-key encryption, means the public key can be distributed freely, while the private key shouldn’t be shared with anyone. This is several times slower than symmetric operations, and so is typically only used to encrypt small amounts of data.

 

 

White-box cryptography

Whitebox cryptography combines encryption and obfuscation methods to embed secret keys in application code. The idea is to combine the code and the key in such a way that an attacker can’t tell the difference between the two, and a new white-box program can be run safely from an insecure environment.

It obscures and blends the internal data and execution flow of an algorithm to the point where it’s difficult for an attacker to separate and identify cryptographic keys. Which means those keys can’t be found or extracted from the app. 

White-box implementations can include protections against static analysis, runtime code modifications, timing attacks, and fault injection. So your organization can encrypt critical portions of programs and store the keys for decryption in an essentially tamper-proof way.

 

4. Regular updates and CI/CD support

In the ever-evolving threat landscape, the importance of regular updates simply cannot be overstated. It’s crucial for mobile app security vendors to release frequent updates, both to patch vulnerabilities and mitigate emerging threats. 

By being proactive rather than reactive when safeguarding user data and privacy, you protect yourself, your clients, and uphold your organization’s reputation. Which is also why your chosen mobile app security vendor should stay on top of the latest cybersecurity developments.

In the same vein, continuous integration (CI) and continuous delivery (CD) should be near the top of your priority list. These allow developers to repeatedly merge code changes into a central place, where they can build and test them, then deploy them to new or existing environments. 

The difference between the two is that CI focuses on the build and test stages, and CD focuses on the delivery of code to environments — but both need to be on the table when evaluating any mobile app security solutions.

 

5. Data security during transit

Data leaving the application should be fully encrypted right up until it reaches the place it will actually be used. And any data received by the application should also be encrypted, as this maintains security throughout the transmission processes. 

Various secure communication protocols can (either individually or in combination) make sure this happens:

 

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) encrypts the data exchanged between the app and the server, which makes it harder for attackers to intercept or modify it. It also verifies the identity of the server, so the app can’t connect to one that’s fake or malicious.

To use HTTPS you need a valid SSL/TLS certificate from a trusted authority, and your server needs to be configured to accept HTTPS requests.

 

OAuth 2.0

Open Authorization 2.0 (OAuth 2.0) defines how apps can request and get access tokens from a server, which can then be used to access protected resources. It also allows users to grant or revoke permissions to apps without exposing their credentials. 

You need to follow the specific flow that suits your app scenario though i.e., authorization code, implicit, password, or client credentials.

 

JWT

JSON Web Token (JWT) encodes data in a compact, self-contained way, so it’s easy to transmit and verify. JWT consists of three parts: a header, a payload, and a signature — to use it, you need to generate and validate the tokens on your server, then store and send them securely on your app.

 

Encryption

This is the process of transforming data into an unreadable form, using a key. It can protect sensitive data, such as passwords, personal information, or payment details, from unauthorized access or leakage.

 

Certificate pinning

This binds a specific certificate (or public key) to a server, and verifies it on the app. Certificate pinning can prevent instances where an attacker intercepts and replaces the server’s certificate with a fake one, and deceives the app into accepting it. 

It can be done using various methods, including hard-coding, dynamic loading, or using a framework or library.

 

6. Ease of use and integration

The balance between usability and security is much talked about in the mobile app world from an end-user perspective, and not without good reason — after all, it can mean the difference between user retention and total failure. But the same is also true on the backend. 

Your solution should integrate easily with your existing development tools and infrastructure — with very little effort from you — and have minimal impact on both the app’s performance and your internal processes.

 

7. Compliance

Your solution should help your organization achieve your specific compliance goals. We’re talking about everything from DORA to HIPAA and the CCPA.

Compliance isn’t something you can ignore or a nice-to-have, it’s the law — and the penalties for ignoring it can range from hefty fines to a complete derailing of your business, alongside a healthy dose of reputational damage.

Let’s look at some of the high-level standards and regulations you might want to use to stay on the straight and narrow.

 

NIST Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a comprehensive set of guidelines, standards and best practices, developed to help organizations effectively manage and improve cybersecurity risk management. 

The guidelines give you a structured approach to help you recognize threats or incidents — then protect against them, respond fast and recover quickly. This applies to most industries and organizations — which is why it’s such an asset for improving your overall cyber resilience and posture.

 

OWASP Mobile Security Project

Like the NIST Framework, the Open Web Application Security Project’s (OWASP) Mobile Security Project provides guidelines and best practices for building secure mobile apps. It lists the critical security risks (specific to mobile applications) and gives you strategies to mitigate each risk.

 

OWASP Mobile Application Security Verification Standard (MASVS)

The OWASP MASVS is a set of security requirements that make up a testing guide for mobile apps. There are three levels (basic, intermediate, and advanced) the standard seeks to assist developers with creating secure apps.

 

OWASP Mobile App Security Requirements and Verification (MASVR) Framework

Another gem from OWASP MASVR complements MASVS (see above). It gives you detailed requirements and verification procedures for mobile apps, to ensure they comply with all the right security standards.

 

Payment Card Industry Data Security Standard (PCI DSS)

Another security framework, the PCI DSS is specifically designed to secure credit card transactions and protect cardholder data. It’s worth noting, though, that it isn’t a comprehensive security framework like NIST or ISO 27001, as it only focuses on the security of payment card information.

 

The Digital Operational Resilience Act (DORA)

DORA came into force in 2023. It’s aimed specifically at financial market participants like banks, payment institutions, investment firms, and crypto asset service providers. It also applies to critical third parties that provide information and communication technology (ICT) services, like cloud platforms and data analytics services.The intention of DORA is to ensure those organizations can respond appropriately to ICT-related disruptions and threats, and manage their risk.

 

Not forgetting AI…

 

8. Scalability

Your chosen mobile app security solution must be able to handle your organization’s long-term needs and grow with them too.

Here’s a list to help you assess the scalability of security solutions:

 

Continuous integration and continuous deployment (CI/CD)

CI/CD pipelines automate the testing, integration, and deployment processes. This accelerates development cycles, and ensures that security checks are applied consistently, throughout the development lifecycle.

 

Scalable cloud infrastructure

By leveraging cloud services you can build a scalable infrastructure that can adapt to varying workloads. This can include services like auto-scaling, which allows the app to dynamically adjust resources, based on demand.

 

API security

Secure APIs against potential vulnerabilities (if indeed the app inquisition relies on APIs). Measures such as API key validation, rate limiting, and OAuth for secure authentication and authorization can be implemented to make sure this happens. 

In addition, preserving the foundational code for app attestation is crucial for upholding the integrity and functionality of the application, including API security. It acts as a barrier against malicious alterations, ensuring users can have confidence in the app’s behavior and data management practices. Prioritizing code protection instills greater trust in apps, thereby enhancing the security and resilience of the Android ecosystem, while also safeguarding crucial API endpoints.

 

Monitoring and logging

Robust monitoring and logging systems can track app performance, detect anomalies, and identify security incidents. Real-time monitoring allows developers to address any scalability issues that arise promptly, while comprehensive logging helps with post-incident analysis and security forensics.

 

9. Personalization

Can your mobile app security solution be tailored to your changing needs?

Personalization in app security terms might, for instance, mean supporting you in meeting new or changing compliance goals — which might become necessary if you’re eyeing a territory with different or more stringent security requirements.

 

10. Reliable support

Your chosen app security solution needs to come with strong technical support, alongside general support. Consider availability, resources for non-technical stakeholders, and multi-language support if you have a multicultural organization or security team.

 

 

What all this ultimately means

The technical requirements you need in a mobile app security solution all share a common aim — to protect against threats like malware injection, reverse engineering, and repackaging.