HP research finds vulnerabilities in 9 of 10 mobile apps

HP research finds vulnerabilities in 9 of 10 mobile apps

Summary: Obvious security vulnerabilities are disturbingly common in corporate mobile apps. If HP can find them, so can malicious actors.

TOPICS: Security, Mobility

Tests run by HP Fortify, the company's enterprise security arm, indicate that 90% of mobile apps have at least one security vulnerability.

The company used their Fortify On Demand for Mobile product to test the security posture of 2,107 applications published by 601 companies on the Forbes Global 2000. Only iOS apps were tested, but HP says that there is good reason to believe the same problems exist in any Android counterparts.

Overall, the problems fell into one of four categories. The analysis showed that 86% of apps that accessed potentially private data sources, such as address books or Bluetooth connections, lacked sufficient security measures to protect the data from access. 

86% of apps tested lacked binary hardening protection. This refers to a group of techniques, many implemented simply with checkboxes at compile time, which protect against certain attacks, like buffer overflows, path disclosure and jailbreak detection.

75% of apps did not encrypt data before storing it on the device. This data included passwords, documents, chat logs, just about anything.

18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly. The result is private data transmitted in the clear, available to any attacker on the same open Wifi network at the coffee shop or library.

We spoke to Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify, HP. He said that 71% of the vulnerabilities were, in effect, problems on the server end of the app. Most of these are common problems, like SQL injection and cross-site scripting. The consequences of these problems can be severe and remediation of them is a well-understood process, once you know where the problems are.

Nobody would openly downplay the importance of security in mobile development, but there is an imperative in the corporate world to develop and deploy mobile apps quickly. Users are demanding them. This seems to have put security in the back seat.

Fortify's conclusions from the study are that mobile developers need to follow best practices if they don't want to expose their users and company to attack. They should scan their applications using a tool like Mobile Fortify on Demand; implement penetration testing; and adopt one of the many secure coding development lifecycle approaches.

Topics: Security, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Broken link alert

    Just wanted to let you know that the first link for HP Fortify is broken. Good read.
    • Thank you, fixed. (nt)

  • They must really be bad if HP can find them...

    LOL come on guys... Even HP can find the vulnerabilities you gotta do better than that.
    • Fortify is an excellent product

      - in fact one of the very best around.

      Clearly you need to get out some more....
  • HP Research?

    I though Mark Hurd killed all of HP Research.
  • Should come as no surprise....

    It is a very likely outcome when anyone & everyone is allowed to develop & publish an app. AND, stop & consider where most of them are "developed" - a look at the lack of proper grammar in whatever minimal documentation exists should be a huge clue.
  • Vendor FUD

    While I dont disagree that there is a lot of mobile malware out there, this article is a barely-camouflaged advert for HP. There is no reference to the actual research and the numbers look unreliable to me.

    86% of the apps accessing contact books or bluetooth may not be a good thing but how many of those apps required such access legitimately? If you install an address book app, it would obviously require access to your contact list. If HP classifies that as a "vulnerability" as part of their research that's just plain wrong, though convenient for them to further the FUD syndrome.

    My personal opinion, but this sort of advert-rolled-into-a-news-article just puts me off the product and the vendor.