June 05, 2012, 2:00 PM — The place to start to bolster security in mobile applications is in the development stage. Catch and fix vulnerabilities then and the final product will be more difficult for hackers to penetrate.
IBM on Tuesday unveiled software specifically tailored for testing apps that run on Android-powered smartphones and tablets. The new product is an extension of IBM AppScan, formerly called Rational AppScan.
Until now, testing tools used in building client-side software that run on a personal computer are incapable of evaluating flaws in mobile applications. One reason is mobile platforms often use languages specific to the environment. Another is that the testing tools have to understand the mobile framework, including the application programming interfaces (API) used to support the software.
[See also: Mobile leads in malware resurgence for 2012]
IBM said it has addressed these requirements.
"The pitch we've been giving, and many people have been giving for years now, is do lots of scanning and do it early in the development lifecycle, because it costs you less to fix problems," Caleb Barlow, director of application, data and mobile security at IBM, said.
IBM's product goes beyond competing software from Veracode and Cenzic by testing the application source code that runs on the mobile device and the services that software talks to on the backend. These two types of testing are often referred to as static and dynamic, respectively.
"At this point, what is unique with IBM's solution is the combination of static and dynamic techniques applied at the same time, which is really the best way to test a mobile application," Gartner analyst Neil MacDonald said.
Mobile applications are not new, but vendors are just starting to develop tools that address the uniqueness of the software, MacDonald said.
"What's new is the realization that these need to be tested every bit as much as any other enterprise application," he said. "And that the testing tools that [companies] currently might have are not well suited for testing mobile applications."
Vulnerabilities that occur as a result of developer mistakes include an app's mishandling of encryption keys or personal identifiable information, MacDonald said. Mistakes are often made in developing against APIs, so the app exposes too much information.
IBM has integrated AppScan with Q1 Radar, the company's security-event management product. Acquired last fall with the purchase of Q1 Labs, Q1 Radar collects log data from applications in production and watches for events that would indicate a possible attack.