In analyzing 126 of the most popular mobile health and finance apps, app security company Arxan found that 90% of them had one thing in common—major security vulnerabilities. What’s even more concerning is that many consumers in the space don’t realize that this many of the apps are unsafe.
The data comes from Arxan’s fifth annual State of Application Security Report, wherein the company found a great disparity between the perceived security of mobile apps in the space and the reality of their level of security.
Security expert John Pironti said he wasn’t surprised by the results, and that these are some of the same trends and behaviors that emerged in the late 1990s and the dot-com boom.
“The expectation was that this new innovation was driving tremendous benefit and value and that the vendors producing solutions are smart and building in security properly,” Pironti said.
Arxan surveyed 1,083 individuals in the US, UK, Germany and Japan. Of the respondents, 268 were IT executives and 815 were consumers. The 126 apps that were tested came from the US, UK, Germany, and Japan as well.
In surveying these folks, 87% of executives and 83% of consumers said that they felt their mobile apps were “adequately secure.” Additionally, 82% of executives and 57% of consumers said that they believe “everything is being done” to protect their apps. When asked if they thought their app was likely to be hacked in the next six months or so, 46% of executives and 48% of consumers said yes.
However, those responses didn’t quite line up with what was found when the apps were examined.
Of the apps examined, a staggering 90% were vulnerable to at least two of the OWASP Security Project’s top 10 mobile risks. For those interested, here’s the top 10 list from 2014:
- M1: Weak Server Side Controls
- M2: Insecure Data Storage
- M3: Insufficient Transport Layer Protection
- M4: Unintended Data Leakage
- M5: Poor Authorization and Authentication
- M6: Broken Cryptography
- M7: Client Side Injection
- M8: Security Decisions Via Untrusted Inputs
- M9: Improper Session Handling
- M10: Lack of Binary Protections
If we break it down by the genre of app, it doesn’t look much better.
Of the health apps approved by the FDA, 84% were vulnerable to at least two of these risks, and 80% of apps approved by the NHS were as well. Also, 98% of the apps did not have binary code protection, meaning they could potentially be reverse-engineered, and 84% had poor transport layer protection.
In the financial sector, Arxan found that 84% of cyber attacks are happening at the application layer. Of the financial apps tested for this report, 92% were vulnerable to at least two of the top ten mobile application risks mentioned earlier.
When asked if they would change apps over a known vulnerability, or if a competitive app was known to be more secure, 80% said that they would. However, as IBM pointed out in its recent research, half of all companies have zero budget set aside for mobile app security. An additional IBM-sponsored report found that, at any given time, there are nearly 12 million mobile devices infected with malicious code.
For executives, the report recommended setting high expectations for your security, strengthening your weakest links, and making security your competitive advantage. For users, though, the report recommended only downloading apps from authorized sources, avoid jailbreaking or rooting your device, and demand transparency of your app’s security.
One major way that end users and executives alike can pressure mobile application vendors to providing better security is by speaking with their wallets.
“They can require the organizations and developers that are offering applications to them to provide independent assessment results from unbiased and capable third parties that show that they are providing commercially reasonable security on a regular basis,” Pironti said. “If they do not then the end user should choose to spend with those that will.”