While corporations widely recognize the convenience and productivity enhancements that mobile applications deliver to their customers and employees, too few realize that mobile apps also can present significant security and privacy risks. Imagine how it would feel to have hackers find and exploit vulnerabilities in your organization’s mobile apps before your mobile app security team discovers them.
It’s not difficult to find examples of mobile app data breaches that resulted in severe consequences, both in terms of money and corporate reputation. Consider these recent events:
- British Airways was recently fined $230 million for a web and mobile app breach that compromised some 380,000 card payments, revealing users’ personal and financial details. The fine is the largest to date under the new European Union General Data Protection Regulation (GDPR), which allows penalties of up to 4% of a company’s annual revenue.
- Under Armour last year suffered a data breach affecting 150 million users of its MyFitnessPal accounts; the company’s stock promptly dropped 3.8%.
- The New York Attorney General late last year settled with Equifax, Priceline, Western Union and others for failing to implement basic security in their mobile apps. The settlement requires the companies to enact comprehensive security programs to safeguard user data.
- Timehop suffered a breach that exposed names and emails for some 21 million users — “essentially its entire user base,” according to TechCrunch. Some 4.7 million users also had a phone number attached to their accounts.
- 7-Eleven Japan in July suspended its 7Pay app’s mobile payment feature after attackers exploited a password reset function to fraudulently charge $500,000 in purchases to other users. Seven & i Holdings scrapped the cashless payment feature in August as it struggled to resolve security issues.
A recent NowSecure benchmark test of 250 of the most popular Android apps was equally disturbing. We found 3 out of 4 apps leaked sensitive personal data that put users at risk of fraud and identity theft, including:
- 82% of brick-and-mortar retail apps and 92% of online retail apps
- 67% of travel apps
- 50% of financial and insurance apps
Android and iOS Security Issues
We’re not the only ones finding mobile security and privacy issues. The website CVE Details.com tracks common vulnerabilities and exposures and maintains vulnerability data from the inception of Android and iOS to present.
To date, CVE Details.com has found more than more than 2,500 Android vulnerabilities and more than 1,650 iOS vulnerabilities. Android’s issues peaked in 2017, with 843 vulnerabilities. iOS also peaked in 2017 with 387. Since then, Google’s steps to remedy issues have yielded positive results: only 414 vulnerabilities were found so far this year as of Oct. 31. Meanwhile, iOS vulnerabilities dropped to 229 for the same period.
As the data shows, mobile devices can be compromised so consequently mobile apps and data can potentially be compromised as well. This means organizations must ensure they build secure mobile apps and proactively test to ensure they’re safe for use prior to release.
Amid all these issues, the security software firm Norton has this warning:
“It’s little surprise that, as consumers increasingly use their mobile devices for banking, connecting on social media, and making online purchases, cybercriminals are aiming their virus and malware attacks on iPhones, iPads, and Android devices. The iOS and Android operating systems, then, have become tempting targets for cyberthieves eager to access the most personal information of users.”
Given that smartphone apps account for 63% of total digital minutes, according to the Comscore “2019 Global State of Mobile” report, it stands to reason that attackers are going where the traffic is. Setting their sights on the rich mobile attack surface, hackers are targeting insecure Android and iOS apps to steal sensitive data.
Assess Apps with Automated Testing Tools
Companies can improve their defenses and better safeguard sensitive data by using automated
mobile application security testing tools to test apps for security and privacy issues in the software development lifecycle.
For too long, organizations have been trying to apply the same static source code security testing tools and methods that they use for web applications to mobile apps, with predictably dismal results as revealed in the NowSecure Privacy Benchmark above. Mobile devices and apps are fundamentally different, and those differences have to be taken into consideration when testing them for security and privacy issues.
But it doesn’t have to be difficult, or expensive. Download our white paper to learn how automated mobile app security and privacy testing reduces risk. You’ll likely be happily surprised at how easy it is to build a business case for adopting it given the current threat environment.