A new report claims the vast majority of mobile apps are riddled with cryptographic flaws. What are these flaws,...
and why are they so common to mobile apps? What can developers do to reduce these mobile application security risks?
Veracode's report, State of Software Security: Focus on Application Development, is yet another wakeup call for the application development community, with specific focus mobile application security risks. Well-known coding errors that introduce security vulnerabilities are still common place and when encryption is being used, it is more often than not badly implemented. Veracode's findings are based on 208,670 applications submitted for an independent assessment of software risks between October 2013 and March 2015, covering software developed by companies interested in application security.
The code analyzed by Veracode's cloud-based platform included apps written in mobile app development languages, compiled languages and traditional Web app development languages. Four out of five applications written in PHP, Classic ASP and ColdFusion included at least one of the OWASP Top Ten Web application security flaws, which is a free resource compiled by security experts from around the world. Those developing mobile applications fared no better; Veracode found that 87% of Android apps and 80% of iOS apps it analyzed had cryptographic flaws. Although less than 1% of applications didn't provide any sensitive data encryption, few actually managed to correctly protect user data. The main application security risks were insufficient entropy -- a key element required for strong encryption -- improper validation of certificates, cleartext storage of sensitive information and the use of weak or broken encryption algorithms. This failure to store sensitive data properly and to correctly communicate with other secure services puts user data at risk, particularly as mobile devices have multiple, always-on networking capabilities, usually hold very personal data and are often used in a work capacity.
Reducing the high incidence of mobile application security risks has to be made a priority by those managing application development teams. Splitting code into smaller, more manageable units can help reduce the number of errors that developers introduce when working under the stresses of short development cycles and continuous delivery. Most important though, is providing developers with the necessary training to code securely, so they can implement security controls, such as encryption, correctly. Veracode's data shows that organizations which leverage eLearning benefit from a 30% improvement in the flaw fix rate, compared to those that do not. This figure may, of course, reflect the fact that organizations that provide appropriate training may also have a better overall software development lifecycle strategy than those that neglect to provide adequate training.
Veracode also found that the type of security assessments an app is put through can affect the security of the finished product. Static analysis delivered the highest fix rate, which is probably because static analysis reports provide more actionable information, including the source file and line number where a problem exists, making it easier for developers to rectify. Static assessments tend to be run while the application is still being developed, while vulnerabilities found during dynamic testing are usually harder and costlier to correct. Developers need to appreciate each tool's strengths and weaknesses, and know how to use them to help find and fix errors. Development timetables have to allow for both static and dynamic testing, as they excel at finding different vulnerability categories, while time to eliminate mobile application security risks and flaws also has to be built in to project schedules.
Read about the CIO role in mobile app development for employees
Learn about the growth and direction of enterprise mobile app development tools
Find out what application wrappers can do for mobile security
Dig Deeper on Secure software development
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.