How many mobile apps are secure enough for business use?
According to one study of more than 2,000 mobile apps, 97% accessed at least one source of private information stored on a device, while 86% lacked basic information security measures that would defend the app against frequent types of attacks.
Those findings come from a new study from HP Fortify, which scanned 2,107 apps from 601 different businesses that HP said were all listed on the Forbes list of the top 2,000 global companies. "The most common -- and critical -- issues we see are failing to use encryption when writing to the file system, not securing data being sent over the network, and having a highly insecure server configuration on the backend that often leads to numerous critical vulnerabilities," said Maria Bledsoe, senior manager of product marketing for Fortify HP, via email. "These server-based issues commonly include SQLi [SQL injection], XSS [cross-site scripting], Web Services flaws, authentication and session management weaknesses, logic flaws, and many more."
What types of apps did HP study? "Applications run the gamut from banking to marketing for consumer goods companies, to business-targeted apps," said Bledsoe, who noted that the studied apps spanned 22 different app store categories. But the majority of apps studied by HP hailed from these categories: finance (22%), business (21%), lifestyle (10%), utilities (8%), enterprise (5%), travel (4%), games (4%), and medical (3%).
[ Here's a different mobile security threat: iPhone Photo Leads To Cybercrime Arrest.]
Here were the five most frequent mobile app security problems that HP spotted.
1. Privacy shortcomings
As noted, the study found that 97% of tested apps had potentially inappropriate access to at least one source of private information on the mobile device. "In our research, we found banking apps that integrated with social media, chat apps that sent chat logs to be analyzed for future purchasing trends, and many, many applications that track you via geolocation," according to HP.
Access to contact lists was also a problem. "We found that a whopping 97% of applications had access to [this] and were able to share this type of data," HP reported. "Worst of all, most of this data is sent off to third-party companies over HTTP."
2. Missing binary protections
The HP study found that 86% of studied apps failed to use binary protections. This involves encrypting apps to make them more difficult for would-be attackers to reverse engineer. Binary protections can also help block buffer overflow attacks, stack overflow attacks, as well as symbol stripping, code obfuscation, path disclosure, and jailbreaking. "We found an alarming number of applications did not implement these easy-to-use security protections," according to HP.
3. Encryption fail
Implementing encryption correctly is tough. Last year, for example, a study of 13 iOS password managers found that only one properly implemented strong crypto. If password manager apps can't do it correctly, is there hope for more general-purpose apps?
Perhaps it's no surprise, then, that HP found that 75% of studied apps -- which stored everything from passwords, personal details, and session tokens, to documents, chat logs, and photos -- either failed to use encryption or to implement it properly. As a result, the data stored by the apps was accessible "to anyone who has an unlocked, powered-on phone in their possession," according to the study. Without strong encryption, correctly implemented, "losing your phone is equal to losing your [high-value] data," according to the study.
4. Poor transport layer security (TLS)
Of the apps studied by HP, 18% transmitted usernames and passwords as plaintext, via HTTP. Meanwhile, of the remaining 82% of apps, 18% of those failed to implement SSL/TLS correctly. In some cases, for example, apps defaulted to a social media site's HTTP connection when an HTTPS site was available.
Using HTTP to transmit sensitive information is bad because "anyone with a malicious mind on your same network -- think coffee shop, work WiFi, airport, or any server between you and a very far away website -- can sniff your data," according to HP. Meanwhile, incorrect implementations of SSL/TLS leave app users open to man-in-the-middle attacks that use spoofed digital certificates to intercept transmitted data.
Finally, poorly written mobile apps can spill legitimate access credentials that full-fledged web apps rely on to verify a user's identity.
5. Server-side security weaknesses
When it comes to mobile app security, HP's study also found numerous vulnerabilities on the server side of the equation. Furthermore, despite years of security experts warning businesses that their developers should verse themselves in the Open Web Application Security Project (OWASP) list of the top 10 worst web application vulnerabilities and eradicate them at all costs, HP said such vulnerabilities continue to be widespread.
"With the advent of mobile flexibility we have lost sight of the fact that these mobile apps have Web back ends," according to HP's study. "We are forgetting these servers need security attention as well and as a result we see the most critical flaws existing on these mobile sites, APIs, [and] Web services. We also see a resurgence of a lack of knowledge when it comes to Web Service or API security, which we think [ties] to the use of frameworks or development shops that have no security incentives."
Fixes: Think secure coding, not MDM
One cautionary note sounded in HP's study is that mobile device management, mobile access management, and other types of security products that manage and secure mobile devices can help block attacks against mobile devices. But they won't magically make code-level flaws in applications go away. "Any respectable security guru will tell you [that you] can't just slap on a firewall to protect those assets," according to the study. "You need to actually find and fix the problems."
Of course, security experts have been sounding the virtues of secure coding -- and adding it to the development lifecycle -- for years. But uptake by many businesses remains tepid. Blame time-to-market demands, perhaps, or project managers who don't correctly value information security. Until those attitudes change, expect businesses' mobile apps to continue committing widespread and basic privacy and security errors.
There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)