Vulnerable apps are changing mobile security landscape

banner

 

The study, based on a survey of 100 IT leaders and IT security executives from a range of industries at companies with an average of 23,000 employees, found that about three-quarters, or 74 percent, of companies have experienced a data breach that resulted from a mobile security issue. The most common issues included mobile apps that contained security vulnerabilities, at 38 percent, apps containing malware, at 36 percent, and unsecured Wi-Fi connections, at 30 percent, the report found.

There are three main ways that an app can be vulnerable to hackers:
1. Data transmission
Almost all mobile apps transmit and receive data between our devices and remote servers. This allows apps to update, send statistics, check licenses, monitor analytics and so on.

2. Data storage
As we use mobile apps, most of them store data locally on our devices. These often take the form of log files, which record our activities within an app, the strings we typed in it, cached data/reports and more.

3. 3rd party components
It’s quite common for app developers to release their products out to the market very quickly. As time is short, developers reuse components (SDKs) from 3rd parties to support the functionality they need.

iOS VS Android vulnerability

Apple and iOS
Apple’s walled garden App Store where applications are fully vetted before being made available to customers has prevented widespread malware infection of iOS users. As a centralized point of distribution, the App Store provides users with confidence that the apps they download have been tested and validated by Apple. Evidence of malicious malware showing up in the App Store is anecdotal at best, as Apple does not typically volunteer such information. However, it’s safe to assume that since Apple does not make APIs available to developers, the iOS operating system has fewer vulnerabilities.

Google and Android
Google provides a centralized market for mobile applications called Google Play. However, that is offset by the Android’s ability to install apps from third-party sources. Some are well-known and reputable such as Amazon. Others are not, and originate from malware hotspots in Russia and China. The criminal developers deconstruct and decompile popular apps like Angry Birds, and publish malicious versions and make them available for free. The number of threats on the Android platform continues to increase.

 

There are several things that app developers can do to improve the security of their apps like learn about secure coding and vulnerable SDKs to avoid common mistakes and deliver a secure app to your users. Embed security testing in the general quality assurance procedures; from unit testing to continuous integration. Use automated tools to statically and dynamically scan and test for vulnerabilities. Remove unneeded functionality from your code or stop the distribution of an app that is no longer supported.

Developers are not entirely responsible for eradicating vulnerable apps. Official mobile stores employ automatic security scanners to identify malicious apps. These can often be very difficult to detect and it requires lots of resources and attention. However, a lot of improvements can be made to help prevent the distribution of vulnerable apps. The most progress can be made in improving communication between the app stores and developers when issues arise. Developers should receive a notice once their app was found to be vulnerable. Apps that include popular development tools that were found vulnerable should be notified and asked to update the tool/SDK to a safe version. Developers should have sufficient time to release a fix, otherwise their app should be unlisted.