Three quarters of mobile apps have this security vulnerability that could put your personal data at risk

Researchers find that both iOS and Android apps have insecure data storage - and that could lead to passwords, financial information user locations and other personal data being accessed by cyber attackers.
Written by Danny Palmer, Senior Writer

Three quarters of mobile applications have vulnerabilities relating to insecure data storage, leaving both Android and Apple iOS users open to cyberattacks that could allow hackers to steal sensitive information.

Insecure data storage is just one of a number of vulnerabilities that a security company's researchers said they have found after conducting security assessments of a number of mobile applications for both iPhones and and Google Android devices.

The findings have been outlined in the Vulnerabilities and Threats in Mobile Applications 2019 report from Positive Technologies.

SEE: Mobile device security: Tips for IT pros (free PDF) (TechRepublic)

Insecure data storage is by far the most common vulnerability identified in the tested applications, with 76% of those examined found to demonstrate this as a security risk, potentially putting the privacy and security of users at risk.

Just over a third of applications (35%) have been found to exhibit vulnerabilities relating to insecure transmission of sensitive data, while researchers found that the same percentage demonstrated issues around incorrect implementation of session expiration.

Additional vulnerabilities found in just under one in five of the tested applications include sensitive data being stored in the application source code and insufficient protection against cyberattacks using brute-force techniques.

Researchers class the vulnerabilities listed above as medium risk, but 29% of tested applications have been found to contain what has been classed as a high risk – insecure interprocess communication. This critical vulnerability potentially enables attackers to remotely access data processed within vulnerable mobile applications.

While this technique is generally forbidden for iOS applications, there are instances where it is used – such as social media applications sharing their functionality with other apps on the same device to help provide a faster in-browser experience.

In total, high-risk vulnerabilities were found in 38% of mobile applications for iOS and in 43% of Android applications. As many as 89% of all vulnerabilities discovered could be exploited using malware, all without any need for physical access to the device – and potentially putting users at risk of having some very sensitive information hacked.

"Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information. However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

If application developers put more thought into securing their products, that would go a long way toward securing mobile devices against attacks that target vulnerabilities in apps – but users can also help protect themselves from hackers by being careful what they download.

"We recommend that users take a close look when applications request access to phone functions or data. If you doubt that an application needs access to perform its job correctly, decline the request," said Galloway.

"Users can also protect themselves by being vigilant on not opening unknown links in SMS and chat apps, and not downloading apps from third party app stores. It's better to be safe than sorry," she added.


Editorial standards