11:30 AM

Mobile App Security: 5 Frequent Woes Persist

HP Fortify study finds five frequent problems that make mobile apps vulnerable, recommends simple-to-implement information security fixes.

How many mobile apps are secure enough for business use?

According to one study of more than 2,000 mobile apps, 97% accessed at least one source of private information stored on a device, while 86% lacked basic information security measures that would defend the app against frequent types of attacks.

Those findings come from a new study from HP Fortify, which scanned 2,107 apps from 601 different businesses that HP said were all listed on the Forbes list of the top 2,000 global companies. "The most common -- and critical -- issues we see are failing to use encryption when writing to the file system, not securing data being sent over the network, and having a highly insecure server configuration on the backend that often leads to numerous critical vulnerabilities," said Maria Bledsoe, senior manager of product marketing for Fortify HP, via email. "These server-based issues commonly include SQLi [SQL injection], XSS [cross-site scripting], Web Services flaws, authentication and session management weaknesses, logic flaws, and many more."

What types of apps did HP study? "Applications run the gamut from banking to marketing for consumer goods companies, to business-targeted apps," said Bledsoe, who noted that the studied apps spanned 22 different app store categories. But the majority of apps studied by HP hailed from these categories: finance (22%), business (21%), lifestyle (10%), utilities (8%), enterprise (5%), travel (4%), games (4%), and medical (3%).

[ Here's a different mobile security threat: iPhone Photo Leads To Cybercrime Arrest.]

Here were the five most frequent mobile app security problems that HP spotted.

1. Privacy shortcomings
As noted, the study found that 97% of tested apps had potentially inappropriate access to at least one source of private information on the mobile device. "In our research, we found banking apps that integrated with social media, chat apps that sent chat logs to be analyzed for future purchasing trends, and many, many applications that track you via geolocation," according to HP.

Access to contact lists was also a problem. "We found that a whopping 97% of applications had access to [this] and were able to share this type of data," HP reported. "Worst of all, most of this data is sent off to third-party companies over HTTP."

2. Missing binary protections
The HP study found that 86% of studied apps failed to use binary protections. This involves encrypting apps to make them more difficult for would-be attackers to reverse engineer. Binary protections can also help block buffer overflow attacks, stack overflow attacks, as well as symbol stripping, code obfuscation, path disclosure, and jailbreaking. "We found an alarming number of applications did not implement these easy-to-use security protections," according to HP.

3. Encryption fail
Implementing encryption correctly is tough. Last year, for example, a study of 13 iOS password managers found that only one properly implemented strong crypto. If password manager apps can't do it correctly, is there hope for more general-purpose apps?

Perhaps it's no surprise, then, that HP found that 75% of studied apps -- which stored everything from passwords, personal details, and session tokens, to documents, chat logs, and photos -- either failed to use encryption or to implement it properly. As a result, the data stored by the apps was accessible "to anyone who has an unlocked, powered-on phone in their possession," according to the study. Without strong encryption, correctly implemented, "losing your phone is equal to losing your [high-value] data," according to the study.

4. Poor transport layer security (TLS)
Of the apps studied by HP, 18% transmitted usernames and passwords as plaintext, via HTTP. Meanwhile, of the remaining 82% of apps, 18% of those failed to implement SSL/TLS correctly. In some cases, for example, apps defaulted to a social media site's HTTP connection when an HTTPS site was available.

Using HTTP to transmit sensitive information is bad because "anyone with a malicious mind on your same network -- think coffee shop, work WiFi, airport, or any server between you and a very far away website -- can sniff your data," according to HP. Meanwhile, incorrect implementations of SSL/TLS leave app users open to man-in-the-middle attacks that use spoofed digital certificates to intercept transmitted data.

Finally, poorly written mobile apps can spill legitimate access credentials that full-fledged web apps rely on to verify a user's identity.

5. Server-side security weaknesses
When it comes to mobile app security, HP's study also found numerous vulnerabilities on the server side of the equation. Furthermore, despite years of security experts warning businesses that their developers should verse themselves in the Open Web Application Security Project (OWASP) list of the top 10 worst web application vulnerabilities and eradicate them at all costs, HP said such vulnerabilities continue to be widespread.

"With the advent of mobile flexibility we have lost sight of the fact that these mobile apps have Web back ends," according to HP's study. "We are forgetting these servers need security attention as well and as a result we see the most critical flaws existing on these mobile sites, APIs, [and] Web services. We also see a resurgence of a lack of knowledge when it comes to Web Service or API security, which we think [ties] to the use of frameworks or development shops that have no security incentives."

Fixes: Think secure coding, not MDM
One cautionary note sounded in HP's study is that mobile device management, mobile access management, and other types of security products that manage and secure mobile devices can help block attacks against mobile devices. But they won't magically make code-level flaws in applications go away. "Any respectable security guru will tell you [that you] can't just slap on a firewall to protect those assets," according to the study. "You need to actually find and fix the problems."

Of course, security experts have been sounding the virtues of secure coding -- and adding it to the development lifecycle -- for years. But uptake by many businesses remains tepid. Blame time-to-market demands, perhaps, or project managers who don't correctly value information security. Until those attitudes change, expect businesses' mobile apps to continue committing widespread and basic privacy and security errors.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/22/2013 | 2:52:11 PM
Re: Vote of No Confidence
It looks like the research that they did is not specific to the mobile platform. These are failures that are attributed to the way the application is being developed, vs. failures that are inherent in iOS or Android. But, additional research relating to these platforms would also be useful.

Mark Troester


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 7:50:15 AM
Re: Vote of No Confidence
That really surprises me since so much of the discussion of mobile device security centers around the merits of iOS over Android. (With Android generally coming up short). 
User Rank: Apprentice
11/22/2013 | 5:17:31 AM
Re: Vote of No Confidence
Good question, Marilyn. HP declined to provide a breakout of apps, in terms of whether they were iOS or Android.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 10:37:01 AM
Vote of No Confidence
Wow, Mat. these are frightening numbers --  97% of 2000 business apps inappropriately accessed at least one source of private information stored on a device! Did the study breakdown the apps by OS or device? Wondering if there Apple still had the edge in mobile security.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.