Cybercriminals are increasingly targeting mobile apps for attacks, due in part to lax security standards, according to a Thursday report from WhiteHat Security. The majority of mobile apps—85%—violate one or more of the Open Web Application Security Project (OWASP) Mobile Top 10, meaning they contain at least one common security vulnerability that can be exploited, the report found.
Half of the 15,000 applications analyzed in the report violated the OWASP standard for insecure data storage—the most common risk found. This means they may include data leakage in local files and system logs, client-side injection, and weak server-side controls. Android apps had a higher rate of violations in this area than iOS apps, the report found: 52% of Android apps included the world writable executable vulnerability, which could put data at risk—especially concerning for businesses, as GDPR is now in effect.
Close to half of all mobile apps tested also violated the OWASP standard for insecure communication, leaving those apps vulnerable to man-in-the-middle attacks. Some 30% of iOS apps still use insecure HTTP (compared to HTTPs), and more than 50% of iOS apps do not use the recommended Application Transport Security (ATS) method for secure encrypted communications, the report found.
SEE: Encryption policy (Tech Pro Research)
On the other side of the spectrum, apps fared the best in authentication and authorization practices, according to the report. Very few mobile apps tested had CVSS-scored vulnerabilities, the report found, meaning developers are better at implementing access control and protection in mobile apps.
"Businesses are transitioning from traditional applications and legacy systems, to web and mobile applications that are purpose-built to serve up superior customer experiences," WhiteHat Security CEO Craig Hinkley said in a press release. "However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats."
Business professionals should take the following steps to ensure their mobile devices are secure, the report recommended:
- Assume all third-party mobile apps found in app stores are untrusted until validated, no matter who the developer is
- Put controls in place to analyze and monitor third-party mobile app risk, including tracking inventory. Adapt business processes to include a risk analysis program, and use tools for in-depth testing and continuous monitoring
- Offer more specialized training and AppSec testing tools to mobile app developers to improve security practices
For more tips on how developers can build secure mobile apps, click here.
The big takeaways for tech leaders:
- 85% of mobile apps violate at least one OWASP Mobile Top 10 security standard. — WhiteHat, 2018
- The most common mobile app security standard violations were in insecure data storage and insecure communication. — WhiteHat, 2018
- 15 books every programmer should read (free PDF) (TechRepublic)
- DevOps: Where it's going and how to make the most of it (ZDNet)
- How to become a developer: 7 tips from the pros (TechRepublic)
- Man-in-the-middle attacks: A cheat sheet (TechRepublic)
- Man-in-the-disk attacks: A cheat sheet (TechRepublic)
- How to break into the mobile app business with little cash and no programming skill (ZDNet)
- 4 scrum best practices to keep your app development projects on track (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.