Three in four mobile apps contain at least one vulnerability
As the internet is increasingly accessed from mobile devices, mobile apps need to be considered as part of a company's security strategy.
A new report from BitSight finds that three out of four mobile applications evaluated contained at least one moderate vulnerability. It also finds material and severe vulnerabilities in some popular apps.
What's also worrying is that few of these material and severe vulnerabilities get addressed once apps are in production.
Problems identified in the report include Android shopping apps, which transmit personal identifying information (PII) and other sensitive fnancial details, performing poorly in TLS certifcate validation for sensitive data. GPS data leakage is also a problem across a variety of sectors and mobile app genres including aerospace and defense.
In September, security researchers found that 14 top Android apps, downloaded by more than 140 million people in total, are leaking user data due to misconfgurations in the Firebase app development platform. Exposed data potentially includes users' names, emails, usernames, and other PII.
"Mobile applications already drive much of today's digital activity and that will only increase in the future. 5G, increased work-from-home, and the ever-increasing availability of mobile devices have all but assured that cyber criminals will look for avenues into mobile applications to conduct attacks," says Stephen Boyer, founder and CTO of BitSight. "For these reasons, it is critical for organizations to understand risks associated with mobile applications created in-house and those published by third parties."
Among the findings are that Android apps for news are the most likely to be vulnerable to arbitrary code execution. GPS tracking data leaked via HTTP can be a serious problem for some social apps on Android. Also leakage of Apple AdID via HTTP in iOS news apps is much more prevalent than for apps in other genres.
"The integration of security evaluations as a continuous part of the development and release cycle for all mobile apps is an investment app publishers should make in their brand," says Abdullah Al Rashid, senior data scientist at BitSight. "Developers can no longer aﬀord to put oﬀ security until the last minute or even after the app has been released. Prioritizing mobile application security has become essential to compete in today's market."
The full report is available from BitSight.