Mobile Application Security

Security strategies designed specifically to combat mobile risk

Don’t assume the same testing methodology you use for web applications is sufficient for your mobile apps. Web-only techniques focus on finding server-side vulnerabilities and miss vulnerabilities in client-side code running on mobile devices. Vulnerabilities in client-side code can be just as serious as server-side vulnerabilities and can lead to your users’ data being compromised.

There is no one-size-fits-all security solution for mobile apps. The security concerns and controls available can vary, depending on whether an app is a native app, mobile web app, or hybrid app, the operating system that the app is running on, as well as whether the app is accessed only by employees or the general public. Cigital understands the particular security concerns and bakes them into the strategies we use to mitigate your risk.

A stunning 33% of companies never test their mobile apps.


The result? More than 11.6 million mobile devices are carrying security vulnerabilities, according to research from IBM and the Ponemon Institute.

Why are security concerns for mobile applications different from web applications?

  • There is no network perimeter. Mobile apps can connect to the Internet through any network, anywhere.
  • Mobile apps are distributed. Mobile apps live on people’s smartphones or tablets, making it difficult to roll out security updates to all users.
  • Mobile apps collect rich data. Hackers find mobile apps attractive targets because they manage customers’ behavioral and other confidential data.
  • Mobile devices are lost or stolen frequently. With physical access to devices, hackers can gain access to stored information – often even if the device is locked and protected using a PIN/password.
  • You can’t control distribution. Many app stores don’t closely monitor app distribution, so attackers can modify and re-release your app with malicious software added to it.
  • Mobile apps can contain sensitive intellectual property. With web apps, your intellectual property is often protected as your business logic is implemented on the server side. With mobile apps, much of your IP may be in the client-side code. Without protections, hackers could reverse engineer your apps and pass your valuable IP off as their own, negatively impacting your revenue.
  • Many traditional security controls don’t work. The small screens on mobile devices make many traditional security controls ineffective or unusable. Replacing traditional controls with ones that are appropriate for the mobile environment requires mobile expertise.

Our security testing addresses mobile apps’ unique requirements

Off-the-shelf testing tools are not designed to identify vulnerabilities in code running on mobile devices. Cigital’s security experts have built a customized security testing suite (including static and dynamic tools that work together) to capture those vulnerabilities accurately and efficiently. In addition, our in-depth manual tests consider every aspect of mobile security, including how components are used and how applications/systems talk to each other.

With Cigital, testing is the beginning of mobile security, not the end

We never leave you on your own to interpret test results and figure out what to do next.

  • Cigital’s mobile specialists review every test to eliminate false positives.
  • Our experts are available for read-out sessions with your team to review results.
  • A 24×7 remediation Help Desk makes sure you have the information and support you need to fix security bugs and flaws and keep your mobile users secure.

How secure are your mobile applications? Cigital can help you find out.

Let’s talk

Mobile Application Security Services

Capture and fix security vulnerabilities in mobile apps before launch.

Run-time analysis that highlights areas of insecure communication.

Platform-specific security practices and defensive programming for iOS and Android.

Build security into policies, standards, and metrics for app development.

Capture and fix security vulnerabilities in mobile apps before launch.

Run-time analysis that highlights areas of insecure communication.

Platform-specific security practices and defensive programming for iOS and Android.

Build security into policies, standards, and metrics for app development.