Detecting Mobile App Security Gaps through Vulnerability Diagnosis

The Background

YTL Communications is a mobile network provider based in Kuala Lumpur, Malaysia, operating under the “YES” brand name. The company offers prepaid and postpaid plans with unlimited data allowances and high-speed internet, in addition to enterprise solutions such as cloud computing, data centre services and managed network services. These offerings have won them numerous awards, including “Fastest Mobile Network in Malaysia 2022” by Ookla at the Mobile World Congress 2023. Over the years, YTL Communications has designed and constructed a secure, non-proprietary infrastructure built upon virtualisation and containerisation to run and manage their customers’ data.

Mr. Jason Heng, Head of IT at YTL Communications, has been with the company since 2009, driving and building the company’s information technology infrastructure, platforms, applications, data and security architecture.

“Mobile app security is a growing concern. According to data, more than 65% of internet users in Asia access the internet using a mobile phone instead of a desktop. Among these users, 92% spend their time fully engaged on mobile apps. This trend has made mobile app security a growing concern as bad actors are targeting unsuspecting victims on their mobile phones using various methods such as malicious apps, phishing attacks, scams, social engineering threats and man-in-the-middle attacks via honeypot Wi-Fi hotspots,” notes Jason.

To stay up to date on the latest threats and security solutions, YTL Communications works closely with their trusted security partners, one of which is SecIron.

Addressing Security Gaps in Mobile App Development

As YTL Communications embarked on their mobile-first strategy and began shifting their development to focus on centralising their customers’ and partners’ self-service experience onto mobile apps, they recognised the need for a solution like IronSCAN.

YTL Communications first realised they had a security gap when they were unable to discover whether their mobile apps had any vulnerabilities in the code layer that could be manipulated by cybercriminals. They evaluated over 50 different features that they would like the mobile code protection platform to cater to, which included cross-platform protection of Android and iOS, runtime application self-protection (RASP), Javascript protection as well as code obfuscation and hardening functionalities.

IronSCAN for Mobile App Security Code-Level Inspection, Discoveries and Reporting

YTL Communications compared various open source mobile app scanners, along with proprietary solutions from different providers, to evaluate their effectiveness in securing the company’s mobile apps. Eventually, they chose SecIron due to the clarity of its reports. SecIron’s IronSCAN solution enables YTL Communications to inspect vulnerabilities at the code-level for their mobile apps and recommends appropriate remediation at the exact line of code, allowing the company to strengthen the security posture of their mobile apps.

Jason highlighted, “It is an important self-realisation for us that “being secure today doesn’t mean that we were secure yesterday, or would remain secure tomorrow.” There would always be new attacks that target old codes to introduce vulnerabilities, even in software that has passed vulnerability assessments. Solely trusting open source scanners is simply too high of a risk for us.

Enabling Proactive Mobile App Security and Staying Ahead of Threats

The IronSCAN solution aligned seamlessly with YTL Communications’ goal of implementing a shift-left DevSecTestOps mobile app security development framework. Its integration helped the company fill security gaps in their mobile apps and adopt a proactive approach towards security.

By automating the scanning process and integrating the recommended remediation back into their coding pipeline, YTL Communications was able to achieve a highly efficient turnaround time. This empowered their developers to address vulnerabilities quickly, fostering trust and confidence in the app experience while helping them stay ahead of potential cyber threats.

“SecIron’s solution has proven to be a valuable addition and complements our shift-left approach. We cannot afford to waste time sifting through numerous reports from different sources, nor can we take any chances when it comes to the security of our millions of customers’ mobile app transactions and communications,” concludes Jason.

Learn more about IronSCAN.