Anyone who feels safe about their mobile apps should recognize that they have a false sense of security about their security.
That’s really the takeaway from a survey that was released this week by HP Fortify. The firm reported that 90 percent of mobile apps they tested contained at least one vulnerability. What’s even a bit scarier is that the testing focused only on Apple’s iOS, which has a reputation of being more secure than Android.
ZDNet reported that Mobile Fortify On Demand tested 2,107 apps from 601 Forbes Global 2000 companies. The story said that 86 percent lacked binary hardening protection which, as the name implies, is a security process. (It’s hard to get a simple definition of binary hardening, but Wikipedia provides a decent one.) Eighty-six percent of apps that access address books, Bluetooth connections or other private data sources lacked sufficient security. The study found that 75 percent did not encrypt data before storage, and 18 percent transmitted over networks with SSL encryption. The same percentage used SSL encryption – but incorrectly.
Organizations can do a lot to protect themselves, of course. The first step is understanding precisely what a Web app vulnerability is. Hedley Hurwitz, the managing director of South African security firm Magix, provides a good refresher course – or a good article to send to the C-level executive who has to sign off on security purchase decisions. He first explains how Web application vulnerabilities work and how attacks differ from other security challenges. Finally, Hurwitz addresses what must be done. The key is vigilance:
Unlike traditional application development architectures, Web-based applications cannot be tested in quality assurance environments alone and then trusted to behave securely thereafter. The only way to prevent intrusion via Web application vulnerabilities is to scan your live, public-facing, Web applications regularly and test whether they are vulnerable to the latest techniques criminals use. These scans perform a range of simulated attacks against a Web site to see where they are vulnerable.
ICSA Labs also offers advice, via Dark Reading. The set of common sense suggestions starts by echoing Hurwitz’s idea that analysis must be done on a dynamic basis. ICSA also suggests due diligence when selecting a developer, building an enterprise app store, creating and widely sharing mobile device policies with employees, and accepting and preparing for bring your own device (BYOD).