X-Ray reveals mobile app security fails
New free tool sees through the mobile application security smokescreen
Mobile application security is often an under-explored issue, perhaps perceived as a consumer-only issue, or one easily avoided by following best practice.
However, the seriousness of the mobile application security threat to business is severe - a recent Ponemon Institute study - conducted on behalf of IBM Security and Arxan Technologies - found that 84 per cent of enterprises are very concerned about malware threats to their mobile applications, compared to 66 per cent who said the same about their IoT application environment.
The survey also found that a significant number (60 per cent) claimed that their organisation had been breached as the result of an insecure mobile application over the past 12 months. The survey showed that less than 30 per cent of mobile applications are tested for vulnerabilities. Some 44 per cent confessed to taking no measures to protect their mobile environment, while a concerning mere 32 per cent claimed to be taking urgent steps to secure the mobile application environment.
Researchers from High-tech Bridge have been investigating a range of mobile applications and their backends, using a hybrid security testing approach and the machine learning technology baked into High-Tech Bridge’s award-winning Application Security Testing (AST) platform ImmuniWeb, and came up with some disturbing results.
An astonishing 88 per cent of API and Web Services used in the mobile backend contain exploitable vulnerabilities allowing access to sensitive or even confidential data, while a significant 69 per cent have insufficient protection (such as a WAF) against common web attacks.
On Android specifically, the story didn’t improve, with the researchers finding at least one OWASP Mobile Top Ten vulnerability in 97 per cent of applications, while more than 78 per cent of applications have at least one high and two medium risk vulnerabilities. Additionally, every second application contains hardcoded encryption keys, credentials or other sensitive data.
This was borne out in ad-hoc testing, using High-Tech Bridge’s new free application security testing tool, dubbed Mobile X-Ray.
Testing a new version of eBay’s Android app turned up a few surprises - one critical vulnerability, five high and two medium to be exact.
The critical vulnerability turned out to be a hardcoded AES encryption key, which can jeopardize secure data storage and transmission within the mobile application. Full results are here.
However, the eBay app was not alone in this - a test of Microsoft’s Cortana app, also on Android, uncovered the same critical vulnerability, as well as three other high and three medium. Full results are here.
Ilia Kolochenko, CEO of High-Tech Bridge, commented: “Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.
“We should however, keep in mind that the most dangerous and detrimental vulnerabilities mainly lie in the mobile backend, which can be reliably detected using ImmuniWeb Mobile. It also provides advanced manual testing of business logic and can identify other complicated flaws, that are often undetectable in fully automated tools.”
Android app apks for testing purposes were sourced from www.apkmirror.com