Benchmark Analysis Reveals Risky Mobile Apps in Apple® App Store® and Google Play™ storePosted by Brian Reed
Mobile has become the dominant communication platform for employees, customers and partners. The dramatic growth in mobile adoption over the past decade has culminated in more than 5 million Apple® App Store® and Google Play™ store apps in 2018. But in reality, the volume of these apps presents an equal number of potential points of risk for mobile users.
Sadly, mobile security is often left by the wayside as the customer demand drives faster mobile release cycles. In fact, a staggering 85% of the 45,000 mobile apps reviewed for this benchmark analysis violated at least 1 or more of the OWASP MASVS. This benchmark report identifies significant risks of data leakage in mobile apps with insecure data storage, insecure network communications and insecure coding practices that all organizations must address in their risk models and app security programs.
The NowSecure benchmark analyzed 45,000 public apps posted to Apple App Store and Google Play across a range of categories developed by vendors and organizationes of all sizes around the world, including Fortune 500 and Global 2000 organizations. The NowSecure platform automatically downloads and tests third-party app binaries using a complete approach of static, dynamic and behavioral tests on real mobile devices. This automated, multi-pass approach uses an attacker point of view to yield thorough and highly accurate risk results. All risk findings are graded using industry-standard CVSS scores and mapped to the OWASP MASVS.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Initially developed for web apps, OWASP recognized that mobile OS platforms and apps vary widely and released a separate OWASP MASVS in 2013. The OWASP MASVS is intended to be platform-agnostic, focusing on areas of risk beyond just individual vulnerabilities and is weighted using the OWASP Risk Rating Methodology.
Overall, 85 percent of mobile apps violated one or more of the OWASP MASVS. As shown in the table, half of the tested mobile apps returned risk findings for insecure data storage and/or insecure communication. Nearly a third of mobile apps suffered from client code quality issues and vulnerabilities. A substantial portion of Android apps returned risk exposure to reverse engineering and/or extraneous functionality that could potentially be exploited.
Insecure Data Storage
Half of all mobile apps violated the OWASP MASVS for Insecure Data Storage. Tests for data storage risks include data leakage in local files and system logs, client-side injection and weak server-side controls. Critical data examined included account credentials, Personally Identifiable Information (PII), email address, geolocation, International Mobile Equipment Identity (IMEI) , serial number, WiFi info and more. Overall, Android apps had higher rate of violations than iOS mobile apps, with a shocking 52% of Android apps surfacing the “world writable executable” vulnerability. With the rise of strong privacy regulations, like GDPR, and the increasing potential for remotely accessible attacks, organizations should inspect mobile apps for privacy and protection of critical data.
Nearly half of all mobile apps violated the OWASP MASVS for Insecure Communication which leaves those mobile apps susceptible to man-in-the-middle (MITM) attacks. Tests for insecure communication risks include SSL/TLS/Cert issues, poor handshake and HTTP transfer of data in clear text. Critical data examined includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more. A surprising 30% of iOS mobile apps use insecure HTTP (not HTTPs) and more than 50% of iOS mobile apps do not use the recommended Application Transport Security (ATS) method for secure encrypted communications. Given the more highly exploitable MITM communications risks that do not require physical access to the device and strong privacy regulations, including GDPR, organizations should consider carefully how employee and customer data is being protected in transmission.
Insecure Authentication and Authorization
Authentication and authorization is a shining area of secure app development, where very few mobile apps across the test group had risks with CVSS scored vulnerabilities. Authentication tests for risks such as improper identity management and weak session management, while Authorization tests for risks such as improper local auth and forced browsing. Organizations can be more confident of access control and protection across most mobile apps.
Code and Implementation Issues
Code and implementation issues are predominantly found with Android Apps. While all iOS apps are automatically protected via Digital Rights Management (DRM), 62% of Android apps are not or improperly obfuscated, leaving them exposed reverse engineering from attackers. A full 82% of Android apps allow backup which may lead to data loss (although for most apps the user can configure to disable this feature). Additional risk findings of Android apps include 1465 allow arbitrary code execution, 1133 allow SQL injection and 112 have debug flag on. In addition, numerous mobile apps exhibilited vulnerabilities due to insecure 3rd party libraries.
Organizations, at a minimum, should disable allow backup in their mobile apps that contain employee and customer data, and otherwise inspect all mobile apps for risks of data leakage and other vulnerabilities. App developers on Android should strengthen their obfuscation.
All organizations must take into consideration the security risks in the mobile apps they build, buy and download. The NowSecure benchmark report shows substantial and frequent risks of data leakage in device storage, in communication and within coding practices themselves.
In response to these significant findings, organizations should assume all 3rd-party mobile apps found in app stores are untrusted until validated — no matter who the developer. Organizations should put controls in place to analyze and monitor 3rd party mobile app risk, including tracking inventory, adapting processes to include a risk analysis program and leveraging automated tools for in-depth testing and continuous monitoring. Given that mobile operating systems, architectures, development tools and security approaches are significantly different from traditional web and PC applications, more specialized training and appsec testing tools are required for secure mobile app development.