Yesterday, mobile security firm, Wandera, released findings from the company’s research into the state of mobile application security. The report, “Assessing the Security of 10 Top Mobile Apps,” is an attention-grabber. We all use mobile devices and we all download apps, some of them for work, some of them for pleasure, and security professionals know that mobile is risky business. While the 2015 Verizon Data Breach Investigations Report cautioned that certainly mobile presents security risks and challenges, it’s not yet one of the most commonly exploited weak spots in the ecosystem.
Nonetheless, mobile application security (and application security in general) is a topic that not only grabs attention, but one that needs more attention.
At first glance, the data is a bit startling: “10 out of 10 Apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks, including the two most fundamental issues: data storage security and data transport security.” Ten out of ten! Ouch – that’s bad. But wait, doesn’t OWASP actually have twenty-eight subcategories within the Top 10? So that’s really “at least three of” twenty-eight, not to mention, which apps are in question? Wandera declines to mention the apps by name (presumably they have responsibly disclosed the vulnerabilities to the companies who own and developed the apps) but does write that “The 10 apps…have been downloaded an estimated 1.4 billion times combined from the Google Play store. Within Apple’s App Store, the 10 apps…fall within the top 0.05% of all published apps and are primarily in the business and productivity categories.” Thus the reader can assume these apps are widely used, perhaps even running on his or her phone for business purposes, and that the apps are storing his or her PII in Unencrypted SQLite DB and including PII in Property List Files. Does the reader really know, though, what “top 10” means or if s/he and/or his/her business is affected?
Most security pros would agree that insecure data storage is problem. James Jardine, CEO of Jardine Software, an application security assessment and training firm, says, “Secure data storage is often overlooked, most likely because the assumption is that the device would need to be hacked or stolen to access that data.” Better controls for the data collected from the apps should be implemented by the app developers, but other ways to secure data on devices exist. Presumably, some of this research is a self-fulfilling prophecy, as the publisher of the research provides secure mobile solutions, but plenty of other commercial tools exist; sandboxing is fairly easy and flexible nowadays; and the device, itself, can be encrypted with a password/passcode/fingerprint, all of which make it harder to access the data if the device is lost, stolen, or hacked.
I’m gonna be your number one
The “Insecure Data Storage” category is, by far, the worst of the findings in this report. Plenty of bright spots occur, however. For example:
One app is a bit of a dud, but all of the others show server side protection in four important areas.
The categories Broken Cryptography, Client Side Injection, Security Decisions via Untrusted Inputs, Improper Session Handling, Lack of Binary Protections, and Static Analysis are all fairly green across the board. One notable exception is for the category Anti-Jailbreak Protection not Implemented; this category was all red for all ten apps. The logical question when looking at this, of course, is how rampant is jailbreaking among the not-tech savvy business crowd? Security professionals take for granted that mobile devices can be manipulated, but most consumers would not have the faintest idea (or inclination) of how to mess with his or her phone. In future business generations this may not be the case, but today this doesn’t seem to be a high priority risk in the enterprise. Jardine furthers, “Not taking into account the types of vectors to understand difficulty [of exploit] makes it a bit less interesting.”
Weak encryption also proves a slight exception to the positive news, with three out of ten apps failing. While weak encryption is a concern, as Jardine offers, the article “really points out that mobile app security is getting better!” Plenty of apps, websites, or even corporate networks don’t use encryption at all, despite the documented dangers and warnings and breaches. While 30% of these app developers could be better, 70% are doing fairly well.
The report also says that “poor authorization and authentication” is a major vulnerability. The way the data reads, though, is that weak passwords are the primary problem. Sadly, weak passwords are a problem everywhere. Many large, well-funded, reputable enterprises still limit the characters on login passwords. “This is a finding for even most web applications,” says Jardine. In the same category, Clear Text Authentication Leaks passed for every app tested, and PII (though left undefined: is it my username? My phone number? My location?) in Custom Logs (also undefined) only failed on two apps.
I’m not the kind-a girl who gives up just like that
While some interesting meat is included in this report, and obviously there’s more work to be done in secure app development (hooray! Security professionals will continue to have jobs!), the findings indicate things are getting better. Attention is being paid to developing secure apps (has the security team finally been heard or did businesses start demanding improved security as a competitive advantage). According to this research, apps are now written to use secure connections, to cache properly, to ensure proper session handling, to look for malicious URLs and deny connections. This is all positive news, indeed.
Jardine sums it up nicely: “From what I see, the security actually seems better than I would have expected and not nearly as severe as portrayed.”