Risky Mobile Apps No Fun for Entertainment Sector - Security Boulevard

Risky Mobile Apps No Fun for Entertainment Sector

In case it’s not already on your risk radar, it’s time to add mobile apps to the growing list of threat vectors. Mobile apps are risky across all sectors, but more specifically, those that come from media and entertainment businesses are putting users at risk.

In the month of June alone, news of security flaws in a variety of mobile apps made headlines. The Taiwan Electronic Testing Center tested 15 mobile apps for information security and the Consumer Protection Committee reported that all of them failed. As soccer teams compete on the field for the FIFA World Cup, app developers seem to be throwing in the towel when it comes to mobile security.

BitSight recently released the results of its research that looked at data from more than 1,000 companies offering apps on iOS and Google Play and found vulnerabilities across the board. “We looked at the rate of companies in each industry that offer at least one mobile application that did not pass a high severity test: a CVSS score of 7 and above qualifies as high severity,” BitSight wrote.

Tests on business apps across finance, business services, technology, education, media and entertainment found that every app had at least one known vulnerabilities, but more than half of the apps from companies in the media and entertainment industry offer risky applications—nearly double those from the finance sector. Of those, more than 10 percent that failed the high severity test had unencrypted location data and 36 percent had unencrypted device ID.

Of all the apps tested, those that ranked highest in severity, though, had vulnerabilities that included data leakage, privilege abuse, unencrypted personally identifiable information (PII) and credential theft.

Looking at those numbers, it’s no surprise that sensitive data exposure ranked third in the OWASP top ten most critical web application security risks. Not encrypting sensitive data is at the root of the most common flaws. “When crypto is employed,” OWASP wrote, “weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest.”

Securing Device Does Not Secure the App

While much work has been done to enhance mobile security, these critical security risks in mobile apps can not be ignored because both the apps and the users pose risks to the enterprise. While failure to encrypt is a common flaw on the developer side, it’s not common knowledge among end users that mobile apps can be malicious.

Despite the intensive vetting process that developers have to go through to make it into either Apple’s AppStore or Google Play, many malicious apps have made their way into the Google Play. As has been the case with other threat vectors, Apple is quickly catching up. Combine that reality with the fact that consumers often download and use mobiles apps from third-party stores, and your organization has an elevated risk exposure.

In a paper titled, “Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities,” Abner Mendoza and Guofei Gu of Texas A&M University recognize that distinction between securing mobile devices and the locally stored data on the devices versus securing mobile apps.

“Remote HTTP based services form an integral part of the mobile application ecosystem and deserve similar scrutiny with regard to security and privacy concerns,” the researchers wrote.

Perhaps shifting the mindset will prove beneficial for those companies that are struggling to secure their mobile applications. In the meantime, it’s critical that businesses understand which third-parties offer apps that are predisposed to security vulnerabilities.

Kacy Zurkus

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus