Check for vulnerabilities in dependencies and do the same thing they described in this post, just with... meaningful feedback.
I'm more an infra guy, and such scans are actually absolutely awesome. I see everything in my k8s clusters, all java/python dependencies that need attention.
I'm more surprised how anyone can run an app for more than 2 weeks with no high severity vulnerabilities. I guess mobile doesn't have the same attack vectors, but still
Mobile has unbelievably smaller attack vectors due to the hefty sandboxing, as long as you're doing normal things and not including a bunch of janky ad libraries. You're largely just contacting APIs you control and not running arbitrary code, and there's no outside connections coming in at all - lots of extremely bad CVEs are completely irrelevant in that context.
Sure, you can bend your scope to make them relevant... but if you've got someone who can control your system in ways you didn't build by bypassing the OS protections, they already have control of the device and can do darn near anything. If you haven't protected from that, and it's frequently not possible, many other protections are meaningless.
Your backend though has to handle this kind of malicious-modified-client scenario, as well as random connections from code you don't control at all.
(This is not true for all apps of course, but for B2B stuff? Most small companies? Frequently valid)
szszrk|10 months ago
I'm more an infra guy, and such scans are actually absolutely awesome. I see everything in my k8s clusters, all java/python dependencies that need attention.
I'm more surprised how anyone can run an app for more than 2 weeks with no high severity vulnerabilities. I guess mobile doesn't have the same attack vectors, but still
Groxx|10 months ago
Sure, you can bend your scope to make them relevant... but if you've got someone who can control your system in ways you didn't build by bypassing the OS protections, they already have control of the device and can do darn near anything. If you haven't protected from that, and it's frequently not possible, many other protections are meaningless.
Your backend though has to handle this kind of malicious-modified-client scenario, as well as random connections from code you don't control at all.
(This is not true for all apps of course, but for B2B stuff? Most small companies? Frequently valid)