Categories: Security

Mobile apps security study conducted by HP Fortify

A study conducted by company’s enterprise security arm HP Fortify revealed that the majority of mobile apps based on iOS is vulnerable.

The company’s enterprise security arm HP Fortify conducted a series of tests on mobile apps that produced concerning results, almost every app is vulnerable.

Mike Armistead, vice president and general manager, Enterprise Security Products, Fortify HP confirmed that around 71% of the vulnerabilities were related to the server end of the mobile apps.

Most of the flaws found are common problems like SQL injection and cross-site scripting exactly as most popular web application vulnerabilities.

The study revealed that nearly 90% have at least one security flaw, the research evaluated 2,107 applications designed by 601 companies on the Forbes Global 2000 based on iOS.

The security specialists grouped the security vulnerabilities in four categories:

86% of mobile apps lacked of sufficient security measures to protect private data (e.g. Address books, User data).
86% of mobile apps tested lacked binary hardening protection, these apps have resulted vulnerable to certain attacks, including buffer overflows, jailbreak detection and path disclosure.
75% of mobile apps did implement data encryption for storage operations, the application stored in clear text also personal data like passwords, personal documents and chat logs.
18% of mobile apps transmitted data over the network without using SSL encryption, but what is also concerning is that another 18% of apps used SSL incorrectly. In both cases resulted that private data was transmitted in the clear or anyway accessible by an attacker that share same network connection, the typical scenario of open Wifi present in public places.

The problem of security for mobile apps is crucial especially for enterprises that have to manage also the promiscuous use of their mobile devices. The vulnerabilities found are easy to fix but there is a dangerous trend to underestimate them with serious consequences.

Despite the tests have been conducted only on iOS mobile apps, HP experts say that there is good reason to believe the same flaw exist for Android.

It’s time to increase security by design for mobile apps, there is the need to follow best practices in mobile app development to avoid that the mobile platform will became the hackers’ paradise.

Pierluigi Paganini

(Security Affairs – Mobile apps, Security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.