According to HP Research, Nine out of 10 Mobile Applications are Vulnerable to Attack.
The cyber attacks are increasingly sophisticated and
dangerous en terms of technologies, tactics, data and the kind of groups or people
involved.
This also
means that, ‘as computing becomes borderless; adversaries are
increasingly bypassing perimeter security with ease and taking advantage of
vulnerabilities brought on by the growing number of applications and entry
points’.
This study captured by Connectikpeople shows that:
·
Mobile applications represent
a real security threat, with vulnerabilities affecting nine out of 10 mobile
applications published by a representative sample of companies on the Forbes Global 2000,
·
97 percent of the mobile
applications tested accessed at least one private
information source within a
device,
·
86 percent of those applications did not have
adequate security measures in place to protect them from the most common
exploits.
Connectikpeople can also observe that, according to Gartner, Inc., mobile
app stores will see annual downloads reach 102 billion in 2013, up from 64
billion in 2012. This spike in demand is pushing business managers to
dramatically increase the speed at which they deploy mobile applications, and
driving more of the development to third parties. This results in less
oversight of security, and emphasizes the need for a mobile security strategy
that enables businesses to go from “fast to market” to “secure and fast to
market.”
The most common and easily addressable vulnerability sources captured by
Connectikpeople include:
- Privacy issues: Of 2,107 mobile applications scanned, 97 percent accessed private data sources including personal address books, social media pages and connectivity options like Bluetooth or Wi-Fi. Of those applications, 86 percent did not have adequate security measures in place to protect them from the most common exploits, such as misuse of unencrypted data, cross-site scripting and insecure transmission of data.
- Lack of binary protections: 86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception.
- Insecure data storage: 75 percent of applications did not use proper encryption techniques when storing data on mobile devices, which leaves unencrypted data accessible to an attacker. This data includes passwords, personal information, session tokens, documents, chat logs and photos. Unencrypted data that is seen and used by a malicious attacker can violate numerous corporate governance policies as well as compromise the reputation of the enterprise if sensitive trade secrets are leaked to competitors, the media or any other variety of recipients with negative consequences.
- Transport security: 18 percent of applications tested sent user names and passwords over HTTP. Of the remaining 82 percent, 18 percent incorrectly implemented SSL/HTTPS. These unprotected credentials are typically used not only for the mobile applications but also by their web application counterparts. This further compounds the issue, since malicious attackers on the same network could then sniff that data.
For those who unfamiliar, HP Fortify on Demand for Mobile enables organizations to assess vulnerabilities across mobile
applications, can assure security flaws are resolved before deployment, and
protect applications from attacks once in production.
Important note: Conducted by HP Security Research (HPSR), the mobile
application security study tested the security posture of 2,107 applications
published by 601 companies on the Forbes Global 2000. The companies represented 50 countries across 76 industries. Applications
were selected from 22 categories such as productivity and social networking,
and were tested using the HP Fortify on Demand automated binary and dynamic
analysis engine. Application testing was conducted during October and November
2013.
