Tests run by HP Fortify, the company's enterprise security arm, indicate that 90% of mobile apps have at least one security vulnerability.
The company used their Fortify On Demand for Mobile product to test the security posture of 2,107 applications published by 601 companies on the Forbes Global 2000. Only iOS apps were tested, but HP says that there is good reason to believe the same problems exist in any Android counterparts.
Overall, the problems fell into one of four categories. The analysis showed that 86% of apps that accessed potentially private data sources, such as address books or Bluetooth connections, lacked sufficient security measures to protect the data from access.
86% of apps tested lacked binary hardening protection. This refers to a group of techniques, many implemented simply with checkboxes at compile time, which protect against certain attacks, like buffer overflows, path disclosure and jailbreak detection.
75% of apps did not encrypt data before storing it on the device. This data included passwords, documents, chat logs, just about anything.
18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly. The result is private data transmitted in the clear, available to any attacker on the same open Wifi network at the coffee shop or library.
We spoke to Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify, HP. He said that 71% of the vulnerabilities were, in effect, problems on the server end of the app. Most of these are common problems, like SQL injection and cross-site scripting. The consequences of these problems can be severe and remediation of them is a well-understood process, once you know where the problems are.
Nobody would openly downplay the importance of security in mobile development, but there is an imperative in the corporate world to develop and deploy mobile apps quickly. Users are demanding them. This seems to have put security in the back seat.
Fortify's conclusions from the study are that mobile developers need to follow best practices if they don't want to expose their users and company to attack. They should scan their applications using a tool like Mobile Fortify on Demand; implement penetration testing; and adopt one of the many secure coding development lifecycle approaches.