Mobile apps riddled with high-risk vulnerabilities, warns report

Careful before installing that mobile app on your iOS or Android device. Mobile applications are riddled with vulnerabilities, according to research from security company Positive Technologies.

The news won’t come as much of a shock to anyone who has read GPEN’s 2014 study of app privacy failings; IOActive’s 2013 study of banking app security, nor its follow up in 2015, nor it’s investigation of stock trading app security in 2017; nor Arxan’s 2019 look at banking and finance app security.

Positive Technologies, which provides vulnerability management and threat analysis tools, reviewed 17 mobile apps in depth to see how secure they were. It found high-risk vulnerabilities in 43% of the Android apps. iOS fared only slightly better, with 38% of apps containing high-risk flaws.

Insecure data storage was the biggest security risk by far, found in 76% of applications. Examples of this flaw included storage of authentication PINs on the mobile device instead of on the server, increasing the risk of a leak – something 53% of applications were guilty of.

Another common mistake was the use of insecure snapshots. These are images that the smartphone takes to remember software’s current state when the user switches to another application. Apps should mask sensitive data such as credit card numbers when creating these snapshots to avoid the data leaking, but 65% failed to do so, said the report.

Insecure transmission of sensitive data and incorrect session management came in joint second, at 35%. Examples of insecure data transfer include the use of insecure HTTP communications, the report said. However, it added that insecure data transfer is far less common on iOS, probably due to the introduction of protective measures in iOS 9. We told you last year about Android apps’ problems with insecure oversharing.

The researchers pointed out that the software installed on mobile devices themselves is only one part of the equation. The other is the server component that the application talks with. These server-side apps are fruitful attack points for hackers, the report warned, explaining:

Protection of mobile application servers is no better than that of clients

Every server-side component that the researchers tested had at least one vulnerability that would enable an attack on a user.

These vulnerabilities included cross-site scripting (XSS) flaws (by far the most common at 86%). Information leakage, poor authorization, and the leaking of sensitive information in error messages all came in joint second at 43% each.

Examples of these flaws included sending a person’s full name and phone number in a server response during chat sessions. One app included a session ID in a document link, allowing attackers to hijack the legitimate user’s server session.

Another common high-risk server-side vulnerability was misconfiguration. For example, a server might have TRACE requests enabled (this is a feature that echoes HTTP requests back to the user for debugging purposes). That, combined with a cross-side scripting (XSS) vulnerability, could allow an attacker to steal cookies, said the report.

While developers are ultimately responsible for buggy applications, some users must share culpability, warned the company, for example, those who escalate their OS privileges on purpose (known as jailbreaking on iOS devices or rooting on Android ones) to sideload software or customize their interface. This can give an application unfettered access to the underlying system and data.

The report concluded:

Most of the discovered vulnerabilities were introduced during the design stage and result from failure to “think through” security-related questions. We recommend a methodical approach to designing and following through on mobile application security, regularly testing it starting from Day 1 of the software lifecycle.