HP research finds vulnerabilities in 9 of 10 mobile apps

Summary:Obvious security vulnerabilities are disturbingly common in corporate mobile apps. If HP can find them, so can malicious actors.

Tests run by HP Fortify, the company's enterprise security arm, indicate that 90% of mobile apps have at least one security vulnerability.

The company used their Fortify On Demand for Mobile product to test the security posture of 2,107 applications published by 601 companies on the Forbes Global 2000. Only iOS apps were tested, but HP says that there is good reason to believe the same problems exist in any Android counterparts.

Overall, the problems fell into one of four categories. The analysis showed that 86% of apps that accessed potentially private data sources, such as address books or Bluetooth connections, lacked sufficient security measures to protect the data from access. 

86% of apps tested lacked binary hardening protection. This refers to a group of techniques, many implemented simply with checkboxes at compile time, which protect against certain attacks, like buffer overflows, path disclosure and jailbreak detection.

75% of apps did not encrypt data before storing it on the device. This data included passwords, documents, chat logs, just about anything.

18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly. The result is private data transmitted in the clear, available to any attacker on the same open Wifi network at the coffee shop or library.

We spoke to Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify, HP. He said that 71% of the vulnerabilities were, in effect, problems on the server end of the app. Most of these are common problems, like SQL injection and cross-site scripting. The consequences of these problems can be severe and remediation of them is a well-understood process, once you know where the problems are.

Nobody would openly downplay the importance of security in mobile development, but there is an imperative in the corporate world to develop and deploy mobile apps quickly. Users are demanding them. This seems to have put security in the back seat.

Fortify's conclusions from the study are that mobile developers need to follow best practices if they don't want to expose their users and company to attack. They should scan their applications using a tool like Mobile Fortify on Demand; implement penetration testing; and adopt one of the many secure coding development lifecycle approaches.

Topics: Security, Mobility

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.