This holiday season, many of us plan to celebrate at home and are turning to mobile apps for entertainment. Taking selfies with elves to share with friends, playing games with remote grandparents, and running a virtual Secret Santa gift exchange on Zoom are just a few of the fun holiday activities that mobile apps enable.
In light of this seasonal activity, NowSecure analyzed a mix of 75 publicly available holiday mobile apps in the Apple® App Store® and Google Play™ for security and privacy risks. The apps tested included Santa trackers, holiday photos, holiday games, holiday music, holiday lists, gift giving and more. Overall, the results of our benchmark testing were disappointingly poor.
Among the holiday apps we tested, 94% have security issues and 82% leak private data which indicates users should proceed with caution.“
NowSecure Benchmark Methodology
Using the NowSecure automated mobile app security testing engine, we analyzed 40 Android and 35 iOS holiday apps for security vulnerabilities, compliance gaps and privacy exposure. Our analysis looks for security and privacy risks such as insecure authentication, unencrypted data, insecure communication, and data leakage of personally identifiable information (PII) like username/password, email, phone number, device ID/IMEI, geolocation and more.
NowSecure determines a grade using industry-standard CVSS scores while mapping findings to the OWASP MASVS. The NowSecure Score Risk Range is a scoring algorithm based on count and score values of all CVSS findings, the industry-standard method for rating IT vulnerabilities and determining the level of risk exposure.
On an overall risk range of 0-100, apps scoring 80 and above are deemed low risk; apps in the 60 to 80 range require caution; and those scoring lower than 60 present a high degree of risk and strong consideration not to use. We correlated this to school grades such as A, B, C, D and F.
Our benchmark analysis of holiday apps shows the following results:
- The average risk score is C- with Android apps scoring an average of 73 and iOS an average of 68.
- Only 4 mobile apps scored an A.
- The majority of mobile apps scored a C.
- 20 mobile apps scored an F. Among those:
- Four apps have 15 or more vulnerabilities.
- Five apps are vulnerable to man-in-the-middle attacks.
- The worst scoring app is exposed to Remote Code Execution.
How to Have Safe Holiday App Experiences
Overall we find that 85% of public app store apps have cybersecurity issues and 70% leak private data, so the seasonal holiday apps are even riskier. The security and privacy weaknesses in these apps often stem from developers lacking security and privacy skills and the absence of proper testing practices throughout the mobile app development and release process.
If you’re a user of holiday mobile apps, then please choose carefully. While these apps may look fun, they could potentially put you at risk. Download apps only from the official app stores that have been created by reputable companies and that have high ranking reviews. Limit the amount of personal information you supply in these apps and be careful when making financial transactions or in-app purchases. Read our blog post on mobile security best practices for users to better protect their privacy. And if you really like your app creator or have a concern, send a note asking how it is protecting your security and privacy.
If you’re a mobile app developer, and be sure to properly conduct security and privacy testing of apps as you develop them and seek training to learn about best practices for secure coding. In addition, if the app performs financial transactions, perform an expert full-scope penetration test to ensure it’s safe for your customers.
Book a demo of NowSecure Platform to see how the automated mobile application security testing solution delivers speed, accuracy and efficiency for mobile DevSecOps teams.