Four(ish) Percent of Mobile Apps May Be Secure!

It is much simpler for corporate security pros (or anyone concerned about privacy or security in mobile computing) to just assume every app and device is glaringly insecure unless proven otherwise.

Despite improvements in patching, deployment and more attention to security in the apps themselves, 96 percent of mobile apps have at least one major security flaw, and the average number of vulnerabilities per application has actually risen from 13 to 14 compared to last year, according to a Feb. 19 report from Cenzic Inc.

Most of the flaws highlighted in the 2014 edition of Cenzic’s Application Security Trends Report would be preventable, however, using widely recognized safe coding practices and server configurations, as well as adding policy-based behavioral controls using web application firewalls (WAF) or other techniques. Eighty percent of apps demand too many privileges or handle data in ways that endanger the privacy of users; 23 percent of vulnerabilities were information leaks in which the app inappropriately disclosed sensitive information. A quarter of the flaws came from weaknesses in preventing cross-site scripting attacks; 15 percent came from authentication errors, and 13 percent from poor session management.

“In the three years that we have compiled this study, the frequency of application vulnerabilities discovered has remained consistently, astoundingly high,” according tod Bala Venkat, chief marketing officer for Cenzic. “While some improvements in the development process have been made, other newer areas of vulnerability have emerged.”

Poor maintenance and lack of response is a problem as well. Seventy percent of Android devices contain a bug in the WebView programming interface that was discovered 14 months ago, a bug that is the target of a new Metasploit attack module, according to a Feb. 18 Ars Technica story.

Google released a fix for the problem in November, but 70 percent of Android devices are still vulnerable, either because carriers haven’t updated them quickly enough, or because users don’t know how to update their own machines, according to Tod Beardsley, engineering manager at security firm Rapid7 and an engineering lead on the Metasploit Framework.

Android may be risky, but iOS is no better, and maybe a little bit worse, according to a Feb. 18 report from mobile risk-management vendor Appthority. Of the most popular 200 iOS and Android apps, 95 percent exhibit at least one risky behavior, according to that report. Of the 400 top apps on both platforms, iOS is a little riskier, with 91 percent exhibiting risky behavior compared to 83 percent of Android apps.

The behaviors (nearly all of which could be programmed out, or were included purposely as features) cover a wide range, according to Appthority. Seventy percent allow location tracking; 69 percent access social networks; 56 percent identify users; 53 percent are integrated with ad networks; 51 percent allow in-app purchasing; 31 percent allow address books or contact lists to be read.