The study which was released at the RSA Conference in San Francisco this week was based on a scan by the HPE Security on Demand platform of over 36,000 Android and iOS mobile applications.
Cybercriminals are shifting their focus to mobile platforms, with more than 10,000 new Android threats discovered per day in 2015, and an iOS malware growth rate of more than 230 percent, according to the report.
“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt ( @raidschmitt), vice president and general manager, HPE Security Fortify at HPE. “With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organizations take a proactive approach to data security to better protect both personal and corporate data.”
Among the findings of the report were:
A majority mobile applications track your location, but not all of them need to
More than 50 per cent of the scanned applications accessed geolocation data. This can create serious privacy implications in the event of an attack as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users. While it makes sense for a traffic application to track location, the study found that more than 70 per cent of education applications on iOS did as well.
Games and weather applications are collecting calendar data
Calendar data was accessed by more than 40 per cent of the iOS games and more than 50 per cent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
Ad and analytics frameworks put your most sensitive data at risk
Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
Logging methods can expose data to unauthorized third parties
During the early development of applications, logging can be critical to the process of correcting buggy code, but once an application is running on a user’s device, it becomes a significant disclosure vulnerability. Approximately 95 per cent of the applications scanned included logging methods.
Developers, organizations and consumers alike should be cognizant of how this affects the security of personal and corporate data.
Build security in – start with secure code. The surest way of securing mobile applications is to code securely in the first place, and security test early and often. It’s significantly less expensive to build security into the development process than adding it to mobile applications already in production.
Implement automated scans and penetration testing. Organizations should build a holistic approach to their security programs that includes application scanning and penetration testing. Automated scanning helps catch both simple and complex mobile application security mistakes that are being made while penetration testing can determine the most important vulnerabilities.
Select applications wisely. If an application wants access to information that it should not need or that you do not understand, do not use the application. This could expose everything from contact data to geolocation data, which may not be necessary for the application to function.
Be wary of applications storing large amounts of data. Avoid using applications that appear to store a lot of data locally or access data that they shouldn’t.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…