NowSecure, the leading standards-based mobile app security and privacy software company, announced an early access program for NowSecure Platform Software Bill of Materials (SBOM). Now organizations can gain visibility into the critical components of any mobile app running on iOS or Android including the native and 3rd party libraries and frameworks, the endpoints and geolocation for any detected data transmission, and a summary of vulnerabilities present, so that they can better understand the risks in their mobile apps and meet new federal SBOM standards.
Software supply-chain attacks have increased by 650% in the past year, with recent major incidents from SolarWinds, Microsoft, Kasaya and others. Despite mobile apps dominating all digital time spent vs. web, and mobile breaches more than doubling in 2021, there was no comprehensive mobile-specific approach to protect the mobile software supply chain. The recent White House Executive Orders have recognized the software supply chain imperative by requiring new federal SBOM standards. To close this mobile app supply chain security gap, NowSecure has extended the NowSecure Platform with new dynamic SBOM generation capabilities while making free SBOM reports available to all software developers and corporate risk and security teams.
“Mobile apps are the new gateway to the enterprise, and first-party and third-party libraries and frameworks in those mobile apps have become a primary path for attacks,” said NowSecure CEO Alan Snyder. “SBOMs are foundational items that should be generated for EVERY new version of a mobile app so that everyone knows what is in the software that they are using, and so that the enterprise can protect itself from critical supply-chain risks. Organizations are already doing this for web apps and will now be able to get much needed observability into their mobile app supply chain.”
As the world’s first mobile SBOM solution, NowSecure goes beyond traditional SBOM source code analysis techniques to deliver more comprehensive results. Purpose-built for mobile apps, the NowSecure Platform SBOMs are generated by statically and dynamically analyzing the compiled mobile app binary running on real iOS and Android devices, generating rich details on libraries, frameworks, API endpoints, data transmission location and summary vulnerability information. Because NowSecure analyzes the compiled mobile app binary, it can process both internally developed mobile apps and public apps found in the Apple and Google app stores, providing critical insights to enterprises using any of the more than 6 million commercial apps.
Using the NowSecure Platform SBOM tool, organizations can gain visibility into four critical details of any mobile app running on iOS or Android so that they can better understand the supply chain risks in the mobile apps they build and use:
- the list of first party and third party libraries and frameworks directly found or identified as transitive dependencies in the compiled mobile app binary including the most current published version
- the licenses relevant to each component of the mobile app
- the list of endpoints and geolocation information for any detected data transmission found during dynamic analysis
- a summary of security vulnerabilities detected while dynamically analyzing the mobile app to generate the SBOM
The NowSecure SBOM provides PDF reports and machine readable industry-standard CycloneDX data feeds to deliver immediate, actionable benefits that include gaining visibility into the libraries/frameworks included in all mobile apps, pinpointing libraries/frameworks that are using older versions, identifying components that remain but were previously required to be removed, uncovering component licenses that violate internal and external policies, understanding where data is going (including unapproved APIs and destinations) and gaining visibility into summary vulnerability information that requires further testing and inspection. Furthermore, comparing SBOMs from different versions of a mobile app provides insight into changes made by the developer that may require further analysis.
“With the explosive growth in mobile, especially in the workplace, it has become increasingly important to elevate the transparency for the mobile apps we use every day — and the underlying software components they depend on,” said Steve Springett, chair of the OWASP CycloneDX project. “The CycloneDX SBOM standard is a result of security experts and industry coming together to create an SBOM standard that delivers the transparency and interoperability necessary to communicate software inventory and the relationships across different systems. We’re excited that NowSecure supports the CycloneDX SBOM standard — a tremendous victory for the mobile space and for NowSecure customers.”
The NowSecure Platform SBOM early access program is part of the world’s most comprehensive suite for mobile app security including NowSecure Platform for continuous security testing in the development pipeline for DevSecOps, NowSecure Workstation kit for pen tester productivity, NowSecure Supply Chain Risk Management, NowSecure Pen Testing Services, and NowSecure Academy training courseware for dev and security teams. Built on a foundation of standards and automation, NowSecure empowers organizations to drive their success by delivering secure mobile apps faster and by continuously monitoring their mobile app supply chains for risk. Top mobile innovators, global businesses and agencies trust NowSecure to secure their mobile apps including AT&T, Caribou Coffee, iRobot, Uber, and Zoom.