Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Mobile App Security: 5 Frequent Woes Persist

HP Fortify study finds five frequent problems that make mobile apps vulnerable, recommends simple-to-implement information security fixes.

How many mobile apps are secure enough for business use?

According to one study of more than 2,000 mobile apps, 97% accessed at least one source of private information stored on a device, while 86% lacked basic information security measures that would defend the app against frequent types of attacks.

Those findings come from a new study from HP Fortify, which scanned 2,107 apps from 601 different businesses that HP said were all listed on the Forbes list of the top 2,000 global companies. "The most common -- and critical -- issues we see are failing to use encryption when writing to the file system, not securing data being sent over the network, and having a highly insecure server configuration on the backend that often leads to numerous critical vulnerabilities," said Maria Bledsoe, senior manager of product marketing for Fortify HP, via email. "These server-based issues commonly include SQLi [SQL injection], XSS [cross-site scripting], Web Services flaws, authentication and session management weaknesses, logic flaws, and many more."

What types of apps did HP study? "Applications run the gamut from banking to marketing for consumer goods companies, to business-targeted apps," said Bledsoe, who noted that the studied apps spanned 22 different app store categories. But the majority of apps studied by HP hailed from these categories: finance (22%), business (21%), lifestyle (10%), utilities (8%), enterprise (5%), travel (4%), games (4%), and medical (3%).

[ Here's a different mobile security threat: iPhone Photo Leads To Cybercrime Arrest.]

Here were the five most frequent mobile app security problems that HP spotted.

1. Privacy shortcomings
As noted, the study found that 97% of tested apps had potentially inappropriate access to at least one source of private information on the mobile device. "In our research, we found banking apps that integrated with social media, chat apps that sent chat logs to be analyzed for future purchasing trends, and many, many applications that track you via geolocation," according to HP.

Access to contact lists was also a problem. "We found that a whopping 97% of applications had access to [this] and were able to share this type of data," HP reported. "Worst of all, most of this data is sent off to third-party companies over HTTP."

2. Missing binary protections
The HP study found that 86% of studied apps failed to use binary protections. This involves encrypting apps to make them more difficult for would-be attackers to reverse engineer. Binary protections can also help block buffer overflow attacks, stack overflow attacks, as well as symbol stripping, code obfuscation, path disclosure, and jailbreaking. "We found an alarming number of applications did not implement these easy-to-use security protections," according to HP.

3. Encryption fail
Implementing encryption correctly is tough. Last year, for example, a study of 13 iOS password managers found that only one properly implemented strong crypto. If password manager apps can't do it correctly, is there hope for more general-purpose apps?

Perhaps it's no surprise, then, that HP found that 75% of studied apps -- which stored everything from passwords, personal details, and session tokens, to documents, chat logs, and photos -- either failed to use encryption or to implement it properly. As a result, the data stored by the apps was accessible "to anyone who has an unlocked, powered-on phone in their possession," according to the study. Without strong encryption, correctly implemented, "losing your phone is equal to losing your [high-value] data," according to the study.

4. Poor transport layer security (TLS)
Of the apps studied by HP, 18% transmitted usernames and passwords as plaintext, via HTTP. Meanwhile, of the remaining 82% of apps, 18% of those failed to implement SSL/TLS correctly. In some cases, for example, apps defaulted to a social media site's HTTP connection when an HTTPS site was available.

Using HTTP to transmit sensitive information is bad because "anyone with a malicious mind on your same network -- think coffee shop, work WiFi, airport, or any server between you and a very far away website -- can sniff your data," according to HP. Meanwhile, incorrect implementations of SSL/TLS leave app users open to man-in-the-middle attacks that use spoofed digital certificates to intercept transmitted data.

Finally, poorly written mobile apps can spill legitimate access credentials that full-fledged web apps rely on to verify a user's identity.

5. Server-side security weaknesses
When it comes to mobile app security, HP's study also found numerous vulnerabilities on the server side of the equation. Furthermore, despite years of security experts warning businesses that their developers should verse themselves in the Open Web Application Security Project (OWASP) list of the top 10 worst web application vulnerabilities and eradicate them at all costs, HP said such vulnerabilities continue to be widespread.

"With the advent of mobile flexibility we have lost sight of the fact that these mobile apps have Web back ends," according to HP's study. "We are forgetting these servers need security attention as well and as a result we see the most critical flaws existing on these mobile sites, APIs, [and] Web services. We also see a resurgence of a lack of knowledge when it comes to Web Service or API security, which we think [ties] to the use of frameworks or development shops that have no security incentives."

Fixes: Think secure coding, not MDM
One cautionary note sounded in HP's study is that mobile device management, mobile access management, and other types of security products that manage and secure mobile devices can help block attacks against mobile devices. But they won't magically make code-level flaws in applications go away. "Any respectable security guru will tell you [that you] can't just slap on a firewall to protect those assets," according to the study. "You need to actually find and fix the problems."

Of course, security experts have been sounding the virtues of secure coding -- and adding it to the development lifecycle -- for years. But uptake by many businesses remains tepid. Blame time-to-market demands, perhaps, or project managers who don't correctly value information security. Until those attitudes change, expect businesses' mobile apps to continue committing widespread and basic privacy and security errors.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/22/2013 | 2:52:11 PM
Re: Vote of No Confidence
It looks like the research that they did is not specific to the mobile platform. These are failures that are attributed to the way the application is being developed, vs. failures that are inherent in iOS or Android. But, additional research relating to these platforms would also be useful.

Mark Troester


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 7:50:15 AM
Re: Vote of No Confidence
That really surprises me since so much of the discussion of mobile device security centers around the merits of iOS over Android. (With Android generally coming up short). 
User Rank: Apprentice
11/22/2013 | 5:17:31 AM
Re: Vote of No Confidence
Good question, Marilyn. HP declined to provide a breakout of apps, in terms of whether they were iOS or Android.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 10:37:01 AM
Vote of No Confidence
Wow, Mat. these are frightening numbers --  97% of 2000 business apps inappropriately accessed at least one source of private information stored on a device! Did the study breakdown the apps by OS or device? Wondering if there Apple still had the edge in mobile security.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...