Pierluigi Paganini November 25, 2013

A study conducted by company’s enterprise security arm HP Fortify revealed that the majority of  mobile apps based on iOS is vulnerable.

The company’s enterprise security arm HP Fortify conducted a series of tests on mobile apps that produced concerning results, almost every app is vulnerable.

Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify HP confirmed that around 71% of the vulnerabilities were related to the server end of the mobile apps.

Most of the flaws found are common problems like SQL injection and cross-site scripting exactly as most popular web application vulnerabilities.

The study revealed that nearly 90% have at least one security flaw, the research evaluated 2,107 applications designed by 601 companies on the Forbes Global 2000 based on iOS.

The security specialists grouped the security vulnerabilities in four categories:

• 86% of mobile apps lacked of sufficient security measures to protect private data (e.g. Address books, User data).
• 86% of mobile apps tested lacked binary hardening protection, these apps have resulted vulnerable to certain attacks, including buffer overflows, jailbreak detection and path disclosure.
• 75% of mobile apps did implement data encryption for storage operations, the application stored in clear text also personal data like passwords, personal documents and chat logs.
• 18% of mobile apps transmitted data over the network without using SSL encryption, but what is also concerning is that another 18% of apps used SSL incorrectly. In both cases resulted that private data was transmitted in the clear or anyway accessible by an attacker that share same network connection, the typical scenario of open Wifi present in public places.

The problem of security for mobile apps is crucial especially for enterprises that have to manage also the promiscuous use of their mobile devices. The vulnerabilities found are easy to fix but there is a dangerous trend to underestimate them with serious consequences.

Despite the tests have been conducted only on iOS mobile apps, HP experts say that there is good reason to believe the same flaw exist for Android.

It’s time to increase security by design for mobile apps, there is the need to follow best practices in mobile app development to avoid that the mobile platform will became the hackers’ paradise.

Pierluigi Paganini

(Security Affairs –  Mobile apps, Security)