Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Mobile App Security: 5 Frequent Woes Persist

HP Fortify study finds five frequent problems that make mobile apps vulnerable, recommends simple-to-implement information security fixes.

How many mobile apps are secure enough for business use?

According to one study of more than 2,000 mobile apps, 97% accessed at least one source of private information stored on a device, while 86% lacked basic information security measures that would defend the app against frequent types of attacks.

Those findings come from a new study from HP Fortify, which scanned 2,107 apps from 601 different businesses that HP said were all listed on the Forbes list of the top 2,000 global companies. "The most common -- and critical -- issues we see are failing to use encryption when writing to the file system, not securing data being sent over the network, and having a highly insecure server configuration on the backend that often leads to numerous critical vulnerabilities," said Maria Bledsoe, senior manager of product marketing for Fortify HP, via email. "These server-based issues commonly include SQLi [SQL injection], XSS [cross-site scripting], Web Services flaws, authentication and session management weaknesses, logic flaws, and many more."

What types of apps did HP study? "Applications run the gamut from banking to marketing for consumer goods companies, to business-targeted apps," said Bledsoe, who noted that the studied apps spanned 22 different app store categories. But the majority of apps studied by HP hailed from these categories: finance (22%), business (21%), lifestyle (10%), utilities (8%), enterprise (5%), travel (4%), games (4%), and medical (3%).

[ Here's a different mobile security threat: iPhone Photo Leads To Cybercrime Arrest.]

Here were the five most frequent mobile app security problems that HP spotted.

1. Privacy shortcomings
As noted, the study found that 97% of tested apps had potentially inappropriate access to at least one source of private information on the mobile device. "In our research, we found banking apps that integrated with social media, chat apps that sent chat logs to be analyzed for future purchasing trends, and many, many applications that track you via geolocation," according to HP.

Access to contact lists was also a problem. "We found that a whopping 97% of applications had access to [this] and were able to share this type of data," HP reported. "Worst of all, most of this data is sent off to third-party companies over HTTP."

2. Missing binary protections
The HP study found that 86% of studied apps failed to use binary protections. This involves encrypting apps to make them more difficult for would-be attackers to reverse engineer. Binary protections can also help block buffer overflow attacks, stack overflow attacks, as well as symbol stripping, code obfuscation, path disclosure, and jailbreaking. "We found an alarming number of applications did not implement these easy-to-use security protections," according to HP.

3. Encryption fail
Implementing encryption correctly is tough. Last year, for example, a study of 13 iOS password managers found that only one properly implemented strong crypto. If password manager apps can't do it correctly, is there hope for more general-purpose apps?

Perhaps it's no surprise, then, that HP found that 75% of studied apps -- which stored everything from passwords, personal details, and session tokens, to documents, chat logs, and photos -- either failed to use encryption or to implement it properly. As a result, the data stored by the apps was accessible "to anyone who has an unlocked, powered-on phone in their possession," according to the study. Without strong encryption, correctly implemented, "losing your phone is equal to losing your [high-value] data," according to the study.

4. Poor transport layer security (TLS)
Of the apps studied by HP, 18% transmitted usernames and passwords as plaintext, via HTTP. Meanwhile, of the remaining 82% of apps, 18% of those failed to implement SSL/TLS correctly. In some cases, for example, apps defaulted to a social media site's HTTP connection when an HTTPS site was available.

Using HTTP to transmit sensitive information is bad because "anyone with a malicious mind on your same network -- think coffee shop, work WiFi, airport, or any server between you and a very far away website -- can sniff your data," according to HP. Meanwhile, incorrect implementations of SSL/TLS leave app users open to man-in-the-middle attacks that use spoofed digital certificates to intercept transmitted data.

Finally, poorly written mobile apps can spill legitimate access credentials that full-fledged web apps rely on to verify a user's identity.

5. Server-side security weaknesses
When it comes to mobile app security, HP's study also found numerous vulnerabilities on the server side of the equation. Furthermore, despite years of security experts warning businesses that their developers should verse themselves in the Open Web Application Security Project (OWASP) list of the top 10 worst web application vulnerabilities and eradicate them at all costs, HP said such vulnerabilities continue to be widespread.

"With the advent of mobile flexibility we have lost sight of the fact that these mobile apps have Web back ends," according to HP's study. "We are forgetting these servers need security attention as well and as a result we see the most critical flaws existing on these mobile sites, APIs, [and] Web services. We also see a resurgence of a lack of knowledge when it comes to Web Service or API security, which we think [ties] to the use of frameworks or development shops that have no security incentives."

Fixes: Think secure coding, not MDM
One cautionary note sounded in HP's study is that mobile device management, mobile access management, and other types of security products that manage and secure mobile devices can help block attacks against mobile devices. But they won't magically make code-level flaws in applications go away. "Any respectable security guru will tell you [that you] can't just slap on a firewall to protect those assets," according to the study. "You need to actually find and fix the problems."

Of course, security experts have been sounding the virtues of secure coding -- and adding it to the development lifecycle -- for years. But uptake by many businesses remains tepid. Blame time-to-market demands, perhaps, or project managers who don't correctly value information security. Until those attitudes change, expect businesses' mobile apps to continue committing widespread and basic privacy and security errors.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/22/2013 | 2:52:11 PM
Re: Vote of No Confidence
It looks like the research that they did is not specific to the mobile platform. These are failures that are attributed to the way the application is being developed, vs. failures that are inherent in iOS or Android. But, additional research relating to these platforms would also be useful.

Mark Troester


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 7:50:15 AM
Re: Vote of No Confidence
That really surprises me since so much of the discussion of mobile device security centers around the merits of iOS over Android. (With Android generally coming up short). 
User Rank: Apprentice
11/22/2013 | 5:17:31 AM
Re: Vote of No Confidence
Good question, Marilyn. HP declined to provide a breakout of apps, in terms of whether they were iOS or Android.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/21/2013 | 10:37:01 AM
Vote of No Confidence
Wow, Mat. these are frightening numbers --  97% of 2000 business apps inappropriately accessed at least one source of private information stored on a device! Did the study breakdown the apps by OS or device? Wondering if there Apple still had the edge in mobile security.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...