A recent study showed that the vast majority of mobile apps built by large companies have security holes that could open the door to a serious malware infection in the future.
Hewlett-Packard (HP) analyzed 2,100 mobile applications from more than 600 Forbes Global 2000 companies and found that nine in 10 contained potential vulnerabilities. The most common security weaknesses included the misuse of unencrypted data, poor development practices, unencrypted data storage and the use of insecure protocols for transmitting data.
The analysis reflected a development process that places security at a lower priority than making apps available as quickly as possible. The weaknesses also show inexperience at securing applications, the study's authors said.
HP only tested apps that run on Apple iOS, but the company said its findings would apply to Google Android apps as well.
Tested applications ranged in categories from finance and marketing to productivity and lifestyle. The most common vulnerabilities were as basic as failing to use binary protections, which amounts to checking a box in a software development kit before compiling an application.
Binary protections prevent buffer overflows and make it more difficult for hackers to reverse-engineer an app in search of further vulnerabilities or to make a counterfeit version.
HP also found that the majority of apps did not properly encrypt data before storing it on a device. Further, the Web servers these apps connected to were found to be vulnerable to common attack techniques, such as SQL injection and cross-site scripting, which could be launched through the mobile app.
Other security problems included one in five apps sending usernames and passwords over HTTP rather than HTTPS, the secure version of the transport protocol. In addition, the same number of apps implemented HTTPS incorrectly.
Privacy violations turned up as well, with HP finding apps that sent chat logs, geo-location data and contact lists to third-party websites.
Mobile application security: Haste before safety
"What's dominating now is to get these new features out as fast as possible," Mike Armistead, vice president and general manager of HP enterprise security products, said. "Software has always suffered from this. People who write the software are really thinking of the capabilities, and they're not thinking about how someone would break this."
Developers are under little pressure to apply more time-consuming security practices because there has never been a major malware infection on mobile devices. A recent study by the Georgia Institute of Technology and security vendor Damballa found that the infection rate for mobile devices globally was 0.0009%, or less than the odds of dying in a cataclysmic storm in the U.S.
However, the trend in personal computing shows the number of desktop and notebook sales are declining, while tablets and smartphone shipments are rising. Eventually, the latter will become a target worthy of a lot more attention from cybercriminals, so developers should start preparing for the inevitable now by building better security into their apps, experts said.
"The smart security play is to assume it's a matter of 'when' rather than 'if' malware [will] become a problem," Charles Henderson, director of Trustwaves SpiderLabs division, said.
While the HP study focused on large companies, startups also contributed to the number of vulnerabilities in mobile apps, according to Joe DeMesy, senior security analyst at Phoenix-based consulting firm Bishop Fox. The young innovators, DeMesy noted, often don't have the money for secure development. "That's where a lot of these vulnerabilities are coming from -- startups that are cutting corners, so they can get to market faster," he said
HP argued that the study is a warning to companies that they have failed in mobile application security. To fix the problem, companies need to assess their apps more closely to at least know the risks.
"Once you know the risks, you can decide which ones you're going to fix and which ones you're going to take a chance on," Armistead said. "Software ships with bugs; software is going to ship with vulnerabilities. But it's the enterprise's responsibility to decide on how well they're going to protect their users."