> Side Channel Analysis
Ready-to-use side channel tools to assess cryptography algorithms.
> Fault Injection: Laser, EM & Glitching
Make sure your chip withstands different techniques of physical fault injections.
> Firmware Security Analysis
Qualify embedded code binaries without physical devices and benches.
> Security Failure Analysis
Photoemission analysis to explore internal information in a chip.
> Vulnerability Research
Dynamic analyses at a system level for investigating potential vulnerabilities.
> esDynamic for EDU SCA and FI
A learning center for academics to teach and perform side-channel analysis and fault injection
> Data Science Platform
esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.
> esFirmware Engine
Assess the security of the firmware of IoT devices against logical and physical attacks.
> esReven Engine
Record and replay vulnerability researches within reverse engineering processes and tools.
> Cybersecurity Training
Grow your expertise with training modules driven by a coach.
> Hardware Evaluation Lab
High-end laboratory capabilities specialized in hardware security evaluations.
> Mobile App Security
Onboard your Team into your Security Challenges.
Integrate the security protections verification in your CI/CD pipeline.
> PCI MPoC
Prepare your product to meet this new mobile payment standard.
> Mobile App Security Testing (MAST)
esChecker SaaS: automating the security testing of your mobile app binary.
> Mobile App Penetration Testing
Testing the resiliency of your Mobile App, SDK or RASP tool.
> Backend Penetration Testing
Testing the resiliency of your Web App, API or Backend Systems.
> Coaching for Mobile App Developers
Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.
Go to our German website
If you keep up with the latest cybersecurity-related regulations, you’ve probably heard of the new proposal for a Cyber Resilience Act that was presented last September by the European Commission. In case you didn’t hear, the Cyber Resilience Act is a new piece of legislation aimed at improving the cybersecurity posture of organizations that leverage digital assets.
In response to the increasing number and cost of successful cyberattacks, which are estimated to cause annual global costs of €5.5 trillion by 2021, the act is focused on ensuring that companies have the necessary policies, procedures, and technologies in place to protect themselves and their customers from cyber threats.
Now, what does it mean for mobile application security? Whether you’re a mobile app developer, a security professional, or a business leader, this blog post will help you gain a better understanding of how the Cyber Resilience Act will affect the AppSec world.
To summarize, this first and one-of-a-kind EU-wide legislation seeks to set common cybersecurity regulations for manufacturers and developers of products with digital elements. It testifies to the European Commission analysis that cyber risks are a matter of social, political, and economical importance.
First, the low level of cybersecurity and lack of updates provided by many manufacturers, which can leave businesses and consumers vulnerable to cyberattacks. Additionally, while it is undeniable that vulnerability exploits can cause reputational and business damage to organizations, the cost of vulnerabilities is currently mostly borne by end-users, which limits incentives for businesses to invest in secure design and development.
Secondly, customers lack the accurate and sufficient information they need to make informed decisions about purchasing security products.
While some legislations do exist to protect specific categories of digital products, as of today, there is yet to devise a coherent cybersecurity standard for all products leveraging digital assets within the EU Market to remediate this state of play. And that is precisely what the Cyber Resilience Act aims to rectify.
Of course, if you work in the field, you’re already aware of the business/development implications of such a regulation. Just remember the General Data Protection Regulation (GDPR) back in 2018. By establishing strict guidelines and requirements for how personal data is collected, processed, and protected, it had a significant impact on the mobile AppSec world.
Suddenly, mobile app developers and manufacturers were legally required to take a much more proactive approach to protect personal data, and to be more transparent about the types of data they collect and how it is used. Setting this in motion was challenging, to say the least: lack of understanding of the requirements, technical challenges, difficulties in mapping and inventorying data, challenges in ensuring compliance with third-party services, legal difficulties in interpreting and complying with the regulation…
The CRA won’t be an exception. While it is still under review and might very well evolve before it passes, changes are to be expected no matter what.
When the act is implemented, organizations will have to show compliance with the new regulation. That entails being able to prove that they implemented security protections, that they know how much their digital assets are protected, and most importantly, that they made sure the security measures work as expected. The Cyber Resilience Act is an exciting opportunity to stay ahead of the curve in the rapidly evolving field of cybersecurity. Should it pass, organizations will have 2 years to adapt to the new requirements. However, it’s in their best interest to start worrying about it now so they can start taking the necessary steps to be in compliance.
Mobile applications are a critical part of the overall IT system. And like any other part of that system, they need to be designed, developed, and maintained with security in mind. This is especially true considering that apps are released in stores and are therefore accessible to anyone with no way of controlling the device on which they will be executed.
So does the CRA apply to mobile applications? Yes. Yes, it does.
With the increasing prevalence of mobile apps, and the sensitive data that they are used to access, it is essential that they are protected from cyber threats. Yet the security of the mobile application is an issue that has long been neglected. How many times did we hear that protecting the mobile application is not a high priority, considered as nonurgent as that there is allegedly nothing significant to break there?
While it has to be said that awareness concerning mobile app-related cyber risks is undeniably increasing, the fact is, as of today, mobile applications still fall behind on cybersecurity issues.
Take the banking sector for instance. Last year, with the help of our faithful mobile application security testing tool esChecker, we analyzed more than 120 European banking mobile apps and found that none of them complied with OWASP standards. Vulnerabilities in the system can have disastrous consequences. Remember when LCL’s mobile app was prey to a major cyberattack that led to the embezzlement of over 300.000€? But it’s not just banking apps, lack of cybersecurity in the mobile app is a global issue that plagues many industries like health or transports to just name these two.
Thankfully, mindsets are slowly becoming more and more mature, but there is yet a lot of work to be done. And the Cyber Resilience Act was specifically designed to accelerate this inevitable movement towards a safer digital environment, which includes more secure mobile applications.
To anticipate the coming regulation impact on your business, you need to stay ahead of the curve. To do so, you have to embrace a proactive approach towards security and build up security in your mobile applications. And we can help!
To address the different issues you might be facing to secure your mobile apps (lack of in-house AppSec expertise, lack of control over the app code as a whole, difficulty in enforcing a consistent security policy for every release, or in setting up a culture of mobile app security, etc.) eShard devised a special offer for any leader willing to empower their engineering team and impulse a sustainable initiative for gaining control of the in-house mobile app security.
Build confidence in mobile app security and shift your development processes to take into account the specifics of the mobile environment.