In case it’s not already on your risk radar, it’s time to add mobile apps to the growing list of threat vectors. Mobile apps are risky across all sectors, but more specifically, those that come from media and entertainment businesses are putting users at risk.
In the month of June alone, news of security flaws in a variety of mobile apps made headlines. The Taiwan Electronic Testing Center tested 15 mobile apps for information security and the Consumer Protection Committee reported that all of them failed. As soccer teams compete on the field for the FIFA World Cup, app developers seem to be throwing in the towel when it comes to mobile security.
BitSight recently released the results of its research that looked at data from more than 1,000 companies offering apps on iOS and Google Play and found vulnerabilities across the board. “We looked at the rate of companies in each industry that offer at least one mobile application that did not pass a high severity test: a CVSS score of 7 and above qualifies as high severity,” BitSight wrote.
Tests on business apps across finance, business services, technology, education, media and entertainment found that every app had at least one known vulnerabilities, but more than half of the apps from companies in the media and entertainment industry offer risky applications—nearly double those from the finance sector. Of those, more than 10 percent that failed the high severity test had unencrypted location data and 36 percent had unencrypted device ID.
Of all the apps tested, those that ranked highest in severity, though, had vulnerabilities that included data leakage, privilege abuse, unencrypted personally identifiable information (PII) and credential theft.
Looking at those numbers, it’s no surprise that sensitive data exposure ranked third in the OWASP top ten most critical web application security risks. Not encrypting sensitive data is at the root of the most common flaws. “When crypto is employed,” OWASP wrote, “weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest.”
Securing Device Does Not Secure the App
While much work has been done to enhance mobile security, these critical security risks in mobile apps can not be ignored because both the apps and the users pose risks to the enterprise. While failure to encrypt is a common flaw on the developer side, it’s not common knowledge among end users that mobile apps can be malicious.
Despite the intensive vetting process that developers have to go through to make it into either Apple’s AppStore or Google Play, many malicious apps have made their way into the Google Play. As has been the case with other threat vectors, Apple is quickly catching up. Combine that reality with the fact that consumers often download and use mobiles apps from third-party stores, and your organization has an elevated risk exposure.
In a paper titled, “Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities,” Abner Mendoza and Guofei Gu of Texas A&M University recognize that distinction between securing mobile devices and the locally stored data on the devices versus securing mobile apps.
“Remote HTTP based services form an integral part of the mobile application ecosystem and deserve similar scrutiny with regard to security and privacy concerns,” the researchers wrote.
Perhaps shifting the mindset will prove beneficial for those companies that are struggling to secure their mobile applications. In the meantime, it’s critical that businesses understand which third-parties offer apps that are predisposed to security vulnerabilities.