New research from HP finds 9 out of 10 mobile apps have obvious security flaws
In the rush to deliver enterprise mobile apps to employees, it seems that even the largest Global 2000 companies are forgetting about their own established IT security practices. While this may not seem so surprising considering the immense pressure to deliver apps that let people take their work on the road, this is still an alarming trend just waiting to be exploited.
2,107 mobile apps from 601 companies on the Global 2000 list were tested by HP Fortify, the company’s enterprise security division. While these tests were limited to the iOS platform – HP claims there is good reason to believe these same issues would exist on Android and other mobile platforms.
According to the tests – the most common and easily addressable security vulnerability issues generally fall into four categories:
- While 97% of the tested apps were able to access private data such as personal address books and social media pages – 86% of these apps did not have adequate security measures in place to protect them from the most common exploits.
- 86% of apps tested lacked binary hardening – which leaves applications vulnerable to information disclosure, buffer overflows, and otherwise poor performance.
- 75% percent of applications did not use proper encryption techniques when storing data on mobile devices. Often leaving data such passwords, personal information, session tokens, documents, chat logs, and photos unencrypted – and easily accessible with the right techniques.
- 18% of apps tested sent user names and passwords over regular HTTP (rather than the more secure HTTPS). Out of the remaining 82%, another 18% implemented SSL/HTTPS incorrectly – leaving sensitive data vulnerable to data sniffers.
As you can imagine, this is quite a serious issue for businesses and the people who depend on having their data and privacy protected. Fortify essentially used an automatic scanning tool to detect these vulnerabilities, and has openly challenged big corporations to do something about it.
These issues and vulnerabilities are not something new, and fixing these issues has long been well understood. According to Fortify nearly all these vulnerabilities can be identified and remediated by running a security assessment test – before releasing a mobile application.
While software development is not a perfect science, it is critical that such security assurance policies are in place to protect both the companies and the users. Though mobile technologies are progressing at a tremendous pace, this does not excuse the lack of foresight that seems to be prevailing at the moment.
Fortify’s conclusions form the study are that mobile developers need to follow well established best practices, if they do not want to expose their users to attack. There are plenty of scanning tools available to help do this, as well as many secure coding development lifecycle approaches that should be used.