Study: Mobile apps frequently disclose sensitive user data
Despite all the attention as of late on mobile security, a majority of mobile apps still have security flaws that should be of concern, warns security firm ViaForensics. The results come from comprehensive security tests for 100 apps on both the Android and iOS platforms.
Each app was given one of three possible ratings -- pass, warn, or fail -- depending on whether or not ViaForensics was able to access data it stored in each of the apps. A "pass" rating was given if the data could either not be found or was stored encrypted. For apps where the data was found but did not pose an immediate risk, a "warn" rating was assign.
"Fail" was given to the worst offenders, where sensitive data was able to be easily obtained. This data would increase the risk of either identity or financial theft. Sadly enough, 39 of the 100 apps tested obtained this rating.
Only 17 apps managed to pass ViaForensic's test, with the remaining 44 squeaking by with a warn rating. The company said this was symptomatic of a general failure among developers to properly secure sensitive user data. That said, the ratio of pass to fail was not even across different application types.
Among the four types of apps tested -- financial, social networking, productivity, and retail -- social networking apps had the highest rates of failure. 14 of the 19 apps failed ViaForensics' tests, and no app received a passing grade. To be expected, financial apps fared the best, with only 8 of 32 apps failing.
What were the common problems? The firm said it found that 76 of the 100 apps tested stored usernames in plain text. 10 apps even stored passwords in plain text, which ViaForensics considered one of the biggest threats to user security.
Two thirds of the apps tested received a warn or fail, and the failures frequently came for those apps which stored information such as private communications, personal info or account numbers in plain text.
"For instance, if a cybercriminal is able to steal one password, coupled with all of the usernames recovered, would pose a serious threat for someone who uses the same password on many accounts," the firm wrote.