Flawed phone apps could risk enterprise data
Analysis of over 17,000 enterprise-used mobile apps by Zimperium zLabs finds that 92 percent of all apps and 56 percent of the top 100 apps use flawed cryptographic methods that could be putting organizations at risk.
Even more concerning, five percent of top 100 apps were found to have high-severity cryptography flaws including hardcoded keys and outdated algorithms.
Juan Francisco Bertona, cyber threat analyst at Zimperium writes on the company's blog, "The stakes have never been higher. During 2024 alone, over 1.7 billion individuals had their personal data compromised -- a staggering 312 percent increase from 419 million in 2023 -- leading to a total estimated financial loss of 280 billion dollars. As mobile devices become the primary gateway to digital services, they also represent an expanding attack surface for data leakage and breaches."
Among other findings, 83 Android apps were discovered to use unprotected or misconfigured cloud storage, with a few of these apps ranking in the top 100 in the PlayStore popularity list. In some cases, file and directory indexes are world-viewable, while in others, the full contents of repositories could be accessed without credentials.
There were 10 apps found with exposed AWS credentials, potentially granting full access to sensitive enterprise data. These credentials could be used to both read the data or, in the worst case, write onto it, creating fake records or deleting/encrypting the data and demanding a ransom for it without the need of actually performing a traditional ransomware attack.
Commenting on the research Boris Cipot, senior security engineer at Black Duck, says, "As we are living in a digital world, a lot of our private and personal data is processed on digital channels. We depend on the web service or application providers to handle our data with care and protect it in transit while it's being stored. However, as the latest findings from Zimperium show, this is not the case. Cryptography is the foundation of secure communication and data storage. However, if flawed cryptographic algorithms are used or if no protection is used at all, then this is a highly alarming state. The presence of hardcoded keys and outdated algorithms are especially dangerous as they can be the reason for exposed high-volume data to be compromised."
You can read more on the Zimperium blog.
Image credit: Cttpnetwork/Dreamstime.com