On the eve of the ATARC Federal Mobile Technology Summit on August 30, 2018, NowSecure analyzed 88 publicly available mobile apps from across multiple U.S. federal government agencies. Overall, we found that 25% of 88 mobile apps have high and/or critical CVSS-scored vulnerabilities and over 20% do not comply with National Information Assurance Partnership (NIAP) requirements. NowSecure encourages ATARC attendees to visit us at Table 31 to see their organizations’ benchmark results.
A sampling of NIAP testing includes the following coverage:
- Random Bit Generation Services (FCS_RBG_EXT.1.1)
- Storage of Credentials (FCS_STO_EXT.1.1)
- Encryption Of Sensitive Application Data (FDP_DAR_EXT.1.1)
- Supported Configuration Mechanism (FMT_MEC_EXT.1.1)
- Use of Third Party Libraries (FPT_LIB_EXT.1.1)
- Protection of Data in Transit (FTP_DIT_EXT.1.1)
- Arbitrary Code Execution (FPT_AEX_EXT.1.4)
- Stack Smashing Protection (FPT_AEX_EXT.1.5)
Upon customer request, NowSecure used our automated mobile app security testing engine to analyze 88 mobile apps publicly available in the Google Play™ and the Apple® App Store®. Among the mobile apps, 44 are Android and 44 are iOS. Evaluating the apps for security vulnerabilities, compliance gaps and privacy exposure, we determined a grade using industry-standard CVSS scores while mapping findings to both NIAP and the OWASP MASVS. Apps scoring lower than 60 present a high degree of risk, while those scoring 80 or above are deemed low risk.
As shown in the bar graph below, the benchmark shows NowSecure Security Risk Range for these apps spans a low of 24 to high of 100, revealing a wide range of risk results. The NowSecure Score Risk Range is a scoring algorithm based on count of and score values of all Industry Standard CVSS-Scored Findings. Overall, the median score of all the mobile apps we analyzed was a cautionary 79 risk rating – 79 for Android and 79 for iOS. In reviewing the mobile apps with the best scores, less than half (47%) of all apps scored above 80 (the low risk range) on the NowSecure Risk Scale – 48% of Android and 46% of iOS apps.
The two charts below plots overall NowSecure Risk Score based on CVSS findings (on scale of 0-100) vs count of findings for the Android Apps and iOS Apps. The results show that 15 Android apps (Android first plot below) and 7 iOS apps (iOS second plot further below) failed because of critical and high risks.
In reviewing all the benchmark findings, the most common issues we encountered were local auth, cookies, keysize and iOS ATS. The worst failures were exposure to sensitive data leakage, invalid/improper certificate use, the use of known vulnerable third-party libraries, and unencrypted credentials/personally-identifiable information in local files and over HTTP.
As this benchmark analysis shows, building secure mobile apps is difficult. What’s more, full security testing of mobile apps is even harder. Organizations seeking to build and deliver secure mobile apps should automate mobile application security testing in their development processes. And security teams who need to approve apps for employee use should and properly vet and monitor all third-party apps from public app stores.
The NowSecure platform automatically tests mobile app binaries using a triple-pass approach of static, dynamic and behavioral analysis on real mobile devices. This automated, multi-pass approach uses an attacker point of view to yield thorough, highly accurate risk results based on industry-standard CVSS scores and map to compliance regimes like NIAP and FISMA.
Stop by Table 31 at ATARC or reach out to obtain a free evaluation of a mobile app and learn about our solutions for safeguarding your mobile apps.