Mobile
11/20/2013
11:30 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mobile App Security: 5 Frequent Woes Persist

HP Fortify study finds five frequent problems that make mobile apps vulnerable, recommends simple-to-implement information security fixes.

How many mobile apps are secure enough for business use?

According to one study of more than 2,000 mobile apps, 97% accessed at least one source of private information stored on a device, while 86% lacked basic information security measures that would defend the app against frequent types of attacks.

Those findings come from a new study from HP Fortify, which scanned 2,107 apps from 601 different businesses that HP said were all listed on the Forbes list of the top 2,000 global companies. "The most common -- and critical -- issues we see are failing to use encryption when writing to the file system, not securing data being sent over the network, and having a highly insecure server configuration on the backend that often leads to numerous critical vulnerabilities," said Maria Bledsoe, senior manager of product marketing for Fortify HP, via email. "These server-based issues commonly include SQLi [SQL injection], XSS [cross-site scripting], Web Services flaws, authentication and session management weaknesses, logic flaws, and many more."

What types of apps did HP study? "Applications run the gamut from banking to marketing for consumer goods companies, to business-targeted apps," said Bledsoe, who noted that the studied apps spanned 22 different app store categories. But the majority of apps studied by HP hailed from these categories: finance (22%), business (21%), lifestyle (10%), utilities (8%), enterprise (5%), travel (4%), games (4%), and medical (3%).

[ Here's a different mobile security threat: iPhone Photo Leads To Cybercrime Arrest.]

Here were the five most frequent mobile app security problems that HP spotted.

1. Privacy shortcomings
As noted, the study found that 97% of tested apps had potentially inappropriate access to at least one source of private information on the mobile device. "In our research, we found banking apps that integrated with social media, chat apps that sent chat logs to be analyzed for future purchasing trends, and many, many applications that track you via geolocation," according to HP.

Access to contact lists was also a problem. "We found that a whopping 97% of applications had access to [this] and were able to share this type of data," HP reported. "Worst of all, most of this data is sent off to third-party companies over HTTP."

2. Missing binary protections
The HP study found that 86% of studied apps failed to use binary protections. This involves encrypting apps to make them more difficult for would-be attackers to reverse engineer. Binary protections can also help block buffer overflow attacks, stack overflow attacks, as well as symbol stripping, code obfuscation, path disclosure, and jailbreaking. "We found an alarming number of applications did not implement these easy-to-use security protections," according to HP.

3. Encryption fail
Implementing encryption correctly is tough. Last year, for example, a study of 13 iOS password managers found that only one properly implemented strong crypto. If password manager apps can't do it correctly, is there hope for more general-purpose apps?

Perhaps it's no surprise, then, that HP found that 75% of studied apps -- which stored everything from passwords, personal details, and session tokens, to documents, chat logs, and photos -- either failed to use encryption or to implement it properly. As a result, the data stored by the apps was accessible "to anyone who has an unlocked, powered-on phone in their possession," according to the study. Without strong encryption, correctly implemented, "losing your phone is equal to losing your [high-value] data," according to the study.

4. Poor transport layer security (TLS)
Of the apps studied by HP, 18% transmitted usernames and passwords as plaintext, via HTTP. Meanwhile, of the remaining 82% of apps, 18% of those failed to implement SSL/TLS correctly. In some cases, for example, apps defaulted to a social media site's HTTP connection when an HTTPS site was available.

Using HTTP to transmit sensitive information is bad because "anyone with a malicious mind on your same network -- think coffee shop, work WiFi, airport, or any server between you and a very far away website -- can sniff your data," according to HP. Meanwhile, incorrect implementations of SSL/TLS leave app users open to man-in-the-middle attacks that use spoofed digital certificates to intercept transmitted data.

Finally, poorly written mobile apps can spill legitimate access credentials that full-fledged web apps rely on to verify a user's identity.

5. Server-side security weaknesses
When it comes to mobile app security, HP's study also found numerous vulnerabilities on the server side of the equation. Furthermore, despite years of security experts warning businesses that their developers should verse themselves in the Open Web Application Security Project (OWASP) list of the top 10 worst web application vulnerabilities and eradicate them at all costs, HP said such vulnerabilities continue to be widespread.

"With the advent of mobile flexibility we have lost sight of the fact that these mobile apps have Web back ends," according to HP's study. "We are forgetting these servers need security attention as well and as a result we see the most critical flaws existing on these mobile sites, APIs, [and] Web services. We also see a resurgence of a lack of knowledge when it comes to Web Service or API security, which we think [ties] to the use of frameworks or development shops that have no security incentives."

Fixes: Think secure coding, not MDM
One cautionary note sounded in HP's study is that mobile device management, mobile access management, and other types of security products that manage and secure mobile devices can help block attacks against mobile devices. But they won't magically make code-level flaws in applications go away. "Any respectable security guru will tell you [that you] can't just slap on a firewall to protect those assets," according to the study. "You need to actually find and fix the problems."

Of course, security experts have been sounding the virtues of secure coding -- and adding it to the development lifecycle -- for years. But uptake by many businesses remains tepid. Blame time-to-market demands, perhaps, or project managers who don't correctly value information security. Until those attitudes change, expect businesses' mobile apps to continue committing widespread and basic privacy and security errors.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
marktroester
50%
50%
marktroester,
User Rank: Apprentice
11/22/2013 | 2:52:11 PM
Re: Vote of No Confidence
It looks like the research that they did is not specific to the mobile platform. These are failures that are attributed to the way the application is being developed, vs. failures that are inherent in iOS or Android. But, additional research relating to these platforms would also be useful.

Mark Troester

Sonatype

@mtroester
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 7:50:15 AM
Re: Vote of No Confidence
That really surprises me since so much of the discussion of mobile device security centers around the merits of iOS over Android. (With Android generally coming up short). 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/22/2013 | 5:17:31 AM
Re: Vote of No Confidence
Good question, Marilyn. HP declined to provide a breakout of apps, in terms of whether they were iOS or Android.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 10:37:01 AM
Vote of No Confidence
Wow, Mat. these are frightening numbers --  97% of 2000 business apps inappropriately accessed at least one source of private information stored on a device! Did the study breakdown the apps by OS or device? Wondering if there Apple still had the edge in mobile security.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web