Nearly nine of 10 mobile apps are likely to come with security vulnerabilities that could be possibly exploited. This is according to findings of a new study conducted and released by the enterprise security unit of Hewlett-Packard, HP Fortify. The same research also found that even corporate mobile apps are not spared from potential security holes.
HP Fortify used its own ‘Fortify On Demand for Mobile’ program to test about 2,107 apps that are published by about 600 developers that are listed on Forbes Global 2000. It clarified that its study tested only iOS apps. But it said it is possible that similar problems could possibly exist in Android apps.
Lack of security measures
In the findings it released to the media, HP Fortify disclosed that up to 86% of the apps that it tested lack ‘binary hardening protection.’ Those apps access possibly private data sources like Bluetooth connections and address books. Those also lack enough security measures to protect information from unauthorized access.
HP Fortify also found out that up to 75% of mobile apps covered in the study do not encrypt data before those are stored in a mobile device. That information includes documents, passwords, and chat logs, among others. Again, this could be a risky practice as it makes the apps more vulnerable.
Insufficient SSL encryption
Moreover, up to 18% of the mobile apps were found to transmit data over applicable network even without the use of SSL encryption. Another 18% were found to use SSL. However, those apps do so incorrectly, making the apps still at risk for being compromised.
At the same time, HP Fortify discovered that up to 71% of all mobile app vulnerabilities were caused by server problems. This means that the issues could be identified with shortcomings on the apps’ server end.
HP Fortify recommends
HP Fortify’s study did not end on the identification of the possible problems of mobile apps. It also drew conclusions that provide suggestions to mobile developers. The security group advises developers of mobile apps to observe the best practices so they could prevent their companies and users from being exposed to possible attacks.
It highly recommends scanning of apps using tools like its own Mobile Fortify on Demand. HP Fortify also recommends implementation of penetration testing and adoption of various secure coding development approaches. These findings are quite surprising to some users who have always thought that iOS apps are spared from such security issues.