While many in mobile security are focused on finding and detecting new malware, the problem of properly securing mobile apps and the sensitive data they manipulate is rampant and still growing. Last week we published the 2016 NowSecure Mobile Security Report that provides visibility into the state of mobile security including high risk security issues found in mobile apps using our research team’s dynamic analysis system.
Apps are Still Leaking Usernames and Passwords
Our research shows that a large number of apps are sending username and passwords in easy interceptable1 form over the network. Upon running top 400,000 Android applications (all app with > 1K installs) downloaded from Google Play through our dynamic analysis system, we found that almost 0.60% (2400) of these apps are leaking usernames and 0.45% (1800) are leaking passwords. The scale of the problem may seem miniscule considering the overall size of the app store, but if we consider the install base for each of these apps, we find that these applications have been downloaded 160 Million and 130 Million times respectively. Another way to understand the impact is that potentially 160 Million usernames and 130 Million passwords have been leaked by applications over various network types. One insecure WiFi connection exposes this sensitive data. Everyday, this number grows as most of these applications remain available on Google Play for download.
Users Need to Use More Caution
We hope users use different passwords with different organizations to localize the impact of password/username leakage, however, the research shows that 50% of the people use the same password across different sites. Based off this number we can say, statistically speaking, that in the worst case 65 Million (130 Million x 50%) users have been leaking their bank, corporate account, email, and social networks passwords over the networks without their knowledge due to password reuse. Combine this with the fact that approximately 7.6% of the WiFi connections are insecure and 84% people connect to WiFi everyday, we get a sizable number of the users giving out their passwords every day without their knowledge at coffee shops, conferences and other venues on insecure WiFi. Worst case 130 Million x 84% x 7.6% = 8 Million users are making their passwords available for harvesting by malicious users everyday and of course 4 Million of these users use the same password everywhere! Bonus: http://xkcd.com/792/
The results are part of the 2016 Mobile Application Security Study. To download the full report, click here.
184.0% of the leaky apps are sending username/password over http. 16% have broken ssl.