Apps frequently have access to data they don't
need, or permissions to use hardware and services that have nothing to
do with what they do. A recent study shows the problems are much more
widespread than we thought.
HP researchers examined more than 2,000 iOS apps between October and November and found that nine out of ten apps had serious vulnerabilities, according to the study released last month. The issues ranged from having too many permissions, unencrypted data, and transmitting data insecurely. Games don't need to have access to your address book, and there really isn't any reason for the weather app to have permission to send out email. If an app doesn't protect the data it has access to, or properly secure how it uses the core operating system components, the device becomes vulnerable to attack.
Mobile devices are "prime targets for attack, with vulnerable applications providing access to sensitive data," said Mike Armistead, vice president and general manager of the enterprise security products group at HP's Fortify.
In the study, researchers used HP Fortify on Demand automated binary and dynamic analysis engine to test 2,107 applications, selected from 22 different categories, including productivity and social networking. While the study focused on custom enterprise applications, it's not a stretch to assume that similar security and privacy issues are present in the apps we would find on the Apple App Store or Google Play.
Not Protecting Data
Nearly all—97 percent, of tested apps accessed at least one "private information source," such as personal address books and social media pages, or took advantage of Bluetooth or Wi-Fi connectivity. What's worrying is that a staggering 86 percent of those applications did not have adequate security measures in place to ensure the private data was protected, the study found.
Approximately 75 percent of applications used encryption incorrectly when storing data on mobile devices, the study found. Unprotected data included passwords, personal information, session tokens, documents, chat logs, and photographs.
It was reassuring to see that only 18 percent of applications tested in the study sent usernames and passwords over HTTP while the remaining apps used SSL/HTTPS. However, of those using secure mode of transmission, nearly 20 percent had incorrect SSL/HTTPS implementations. This means the data is still vulnerable to being sniffed by malicious attackers.
Developers Need to Step Up
In general, mobile operating systems—Android and iOS alike—are getting better about explicitly describing which permissions the app requests. There are also stricter guidelines about what type of data apps can access. However, the burden is still on the user to look at the list of permissions, understand the implications, and to make the decision that the requests are unreasonable.
The better scenario would be if developers built security and privacy into the apps from the start. They need to think about how their apps interact with other apps and the operating system. They need to consider how their apps can securely access data.
Businesses need to switch from "fast to market," to "secure and fast to market," HP said.
HP researchers examined more than 2,000 iOS apps between October and November and found that nine out of ten apps had serious vulnerabilities, according to the study released last month. The issues ranged from having too many permissions, unencrypted data, and transmitting data insecurely. Games don't need to have access to your address book, and there really isn't any reason for the weather app to have permission to send out email. If an app doesn't protect the data it has access to, or properly secure how it uses the core operating system components, the device becomes vulnerable to attack.
Mobile devices are "prime targets for attack, with vulnerable applications providing access to sensitive data," said Mike Armistead, vice president and general manager of the enterprise security products group at HP's Fortify.
In the study, researchers used HP Fortify on Demand automated binary and dynamic analysis engine to test 2,107 applications, selected from 22 different categories, including productivity and social networking. While the study focused on custom enterprise applications, it's not a stretch to assume that similar security and privacy issues are present in the apps we would find on the Apple App Store or Google Play.
Not Protecting Data
Nearly all—97 percent, of tested apps accessed at least one "private information source," such as personal address books and social media pages, or took advantage of Bluetooth or Wi-Fi connectivity. What's worrying is that a staggering 86 percent of those applications did not have adequate security measures in place to ensure the private data was protected, the study found.
Approximately 75 percent of applications used encryption incorrectly when storing data on mobile devices, the study found. Unprotected data included passwords, personal information, session tokens, documents, chat logs, and photographs.
It was reassuring to see that only 18 percent of applications tested in the study sent usernames and passwords over HTTP while the remaining apps used SSL/HTTPS. However, of those using secure mode of transmission, nearly 20 percent had incorrect SSL/HTTPS implementations. This means the data is still vulnerable to being sniffed by malicious attackers.
Developers Need to Step Up
In general, mobile operating systems—Android and iOS alike—are getting better about explicitly describing which permissions the app requests. There are also stricter guidelines about what type of data apps can access. However, the burden is still on the user to look at the list of permissions, understand the implications, and to make the decision that the requests are unreasonable.
The better scenario would be if developers built security and privacy into the apps from the start. They need to think about how their apps interact with other apps and the operating system. They need to consider how their apps can securely access data.
Businesses need to switch from "fast to market," to "secure and fast to market," HP said.