In the age of the smart phone, apps are commonly used to make life easier. Many of these apps require personal information, especially mobile health and finance apps. Arxan, a security company, actually analyzed 126 of the most popular apps available to consumers. The findings were shocking because 90% of them were vulnerable to major security risks. What makes this so scary is that a majority of the people who are downloading and using these apps on a daily basis are unaware of how unsafe and potentially dangerous using these apps can be.
A look at the annual report
This data was taken from Arxan’s fifth annual State of Application Security Report. What a user perceived and the actuality of the security of using some apps weren’t the same. John Pironti, who is a security expert, said that he wasn’t really surprised by results, because these same behaviors were seen in the 1990’s when websites and the internet became popular. Users have an expectation that those producing these types of apps have the technology and innovation to make the apps properly secured, which isn’t necessarily the case. For the survey, 1,083 individuals from the U.S., UK, Germany, and Japan were asked questions about app security. 268 of the respondents were IT executives, while the remaining individuals were consumers of the 126 specific apps. 87 percent of the executives and 83 percent of consumers said they felt their mobile apps were adequately secure. 82 percent of executives and 57 percent of consumers believe everything was being done by these apps to protect them from security issues. Just 46 percent of executives and 48 percent of consumers said yes when asked if they believe their app could be hacked in the next 6 months.
Results and actual mobile risks
Of the 126 apps tested, 90% were vulnerable to at least two of the top ten mobile risks outlined by the OWASP Security Project. These ten risks include weak server side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization & authentication, broken cryptography, client side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Health apps that were actually approved by the FDA saw an 84 percent vulnerability rate, with having at least two of these risks, while 80 percent approved by the NHS were also vulnerable. A shocking 98 percent of the apps offered no binary code protection, which means the app could be reverse-engineered and 84 percent had poor transport layer protection.
How to make the apps more security friendly
Now that the data has been made available, what can be done to improve security measures for these apps? 80 percent of people said that they would change to a different app if they were using one with a known vulnerability. Unfortunately popular company IBM has looked at research that shows half of all companies have no money in their budget for mobile app security. One way executives and users might be able to get apps to provide better security is to pay the extra money for it. Is the money worth the convenience that the app provides, probably because of security problems. There are still going to be those users who believe a security attack couldn’t possibly happen to them. We will have to see what the future holds for better mobile app security.