NEW DELHI: The internet is full of new applications but with cases of fake and malicious apps flooding the app stores, it becomes extremely hard for the common man to decide on a trustworthy app.
Bengaluru-based Cybersecurity firm CloudSEK has developed a platform – BeVigil, a security search engine for mobile apps. The platform not only empowers users to scan and find the security and meta details of an app but also encourages developers to audit their applications.
Team CloudSEK wanted to make the mobile app ecosystem more transparent and empower consumers to make wise security decisions when they download apps on their phones. The team wanted to do this for millions of apps while supporting app developers through every step of the development process. While this seemed a mammoth task in itself, it aligned with CloudSEK’s vision of empowering the cybersecurity community with tools, resources, and support to make security a priority.
Commenting on the inspiration behind BeVigil, Syed Shahrukh Ahmad, Chief Technology Officer (CTO) said, “BeVigil is envisioned to fix what’s broken in the security ecosystem; mainly the lack of tools that are easy to access and use, and security awareness among android developers. BeVigil will make the risk metrics of apps easy to understand and transparent.”
Ahmad added, “Mobile applications often have vulnerabilities that compromise users’ safety, data, and privacy. BeVigil will enable security researchers and app developers to uncover and resolve these vulnerabilities and make them safer for users.”
The company claims that BeVigil will make the risk metrics of apps easy to understand and transparent. The platform will help Android developers to quickly queue their apps for a security scan, and get a detailed scan report which will highlight the risks and vulnerabilities so that they can fix them before the app gets shipped to multiple app stores. For example, the report will show the developer which critical permissions are being asked from the app user, and decide on whether asking for those permissions is necessary. Also, all hardcoded passwords, tokens, API keys, endpoints will be shown in the report along with the severity for the developer to identify secret data exposures.
Sharing the experience of auditing applications during the testing phase a company official explained that out of 10,000+ apps linked with the digital lending market, 1000+ unique apps were identified available for downloading on 40+ android app stores. These apps were analyzed to identify the ones that might be fraudulent or put users at risk. Multiple factors were considered, mainly the request for dangerous permissions, severe vulnerabilities in the java code, the presence of hardcoded strings, etc. One interesting discovery was that there were multiple fraudulent apps with different app names but similar features that could be traced back to a single developer. This led to the discovery of more such suspicious apps.
“We want to make BeVigil the catalyst to raise community-wide support and to raise awareness about security issues present in apps. With our scale and extensive scanning capabilities, we aim to help app developers identify flaws present and provide support when remediating them. This would lead to an increase in security standards and provide transparency to consumers which in turn will make developers and organizations who make these apps consider security seriously in the development process,” Ahmad said.
What goes behind once the user search for a keyword on BeVigil
– Let’s start with what a keyword can be. A keyword can be the name of an app, a package id, a simple query, or a complex regex pattern. This keyword is matched with the metadata of all the apps, and the matches are shown under the default view, which is a list of matched apps along with related information and a security score.
– A user can navigate to a security report of each listed app and get a detailed understanding of the app’s security posture. An alternative listing of the search results is available under the Code view. The search term is matched with the analysed source code of the application, and all hits for the keyword are shown here in a paginated manner, making it easy to navigate and pick out interesting hits.
How BeVigil is going to solve the security issues:
– Threat hunting, looking for relations between multiple apps via common attributes in app metadata or the source code.
– Using the collected data from apps, both metadata, and code, extracting interesting features, and powering Machine learning models for use cases such as fraud analysis, malware detection, etc.
– Making useful analytics data available to the developer and security community by analyzing multitudes of apps, studying their features, and picking out interesting data points.
– Discovering links and references of owned assets inside 3rd party APK files to identify misuse of backend systems.