NowSecure Announces Software Bill of Materials For Mobile Apps


NowSecure, the leading standards-based mobile app security and privacy software company, announced an early access program for the NowSecure Platform Software Bill of Materials (SBOM).

Now organisations can gain visibility into the critical components of any mobile app running on iOS or Android including the native and 3rd party libraries and frameworks, the endpoints and geolocation for any detected data transmission, and a summary of vulnerabilities present so that they can better understand the risks in their mobile apps and meet new federal SBOM standards.

Software supply-chain attacks have increased by 650 per cent in the past year, with recent major incidents from SolarWinds, Microsoft, Kasaya and others. Despite mobile apps dominating all digital time spent vs web, and mobile breaches more than doubling in 2021, there was no comprehensive mobile-specific approach to protect the mobile software supply chain. To close mobile app supply chain security gap, NowSecure has extended the NowSecure Platform with new dynamic SBOM generation capabilities while making free SBOM reports available to all software developers and corporate risk and security teams. 

NowSecure goes beyond traditional SBOM source code analysis techniques to deliver more comprehensive results. Purpose-built for mobile apps, the NowSecure Platform SBOMs are generated by statically and dynamically analysing the compiled mobile app binary running on real iOS and Android devices, generating rich details on libraries, frameworks, API endpoints, data transmission location and summary vulnerability information. Because NowSecure analyses the compiled mobile app binary, it can process both internally developed mobile apps and public apps found in the Apple and Google app stores, providing critical insights to enterprises using any of the more than 6 million commercial apps.

Also Read: Why Is API Security Crucial More Than Ever?

Using the NowSecure Platform SBOM tool, organisations can gain visibility into four critical details of any mobile app running on iOS or Android so that they can better understand the supply chain risks in the mobile apps they build and use:

  • The list of first party and third party libraries and frameworks directly found or identified as transitive dependencies in the compiled mobile app binary including the most current published version
  • The licences relevant to each component of the mobile app
  • The list of endpoints and geolocation information for any detected data transmission found during dynamic analysis
  • A summary of security vulnerabilities detected while dynamically analyzing the mobile app to generate the SBOM

The NowSecure SBOM provides PDF reports and machine-readable industry-standard CycloneDX data feeds to deliver immediate, actionable benefits that include gaining visibility into the libraries/frameworks included in all mobile apps, pinpointing libraries/frameworks that are using older versions, identifying components that remain but were previously required to be removed, uncovering component licenses that violate internal and external policies, understanding where data is going (including unapproved APIs and destinations) and gaining visibility into summary vulnerability information that requires further testing and inspection.  Furthermore, comparing SBOMs from different versions of a mobile app provides insight into changes made by the developer that may require further analysis.