Mobile Applications and Security Vulnerabilities
Mobile Applications & Security Vulnerabilities
There are over 2 billion smartphone users in the world today. The enormous rise in the use of smartphones globally has also led to a surge in the usage of mobile applications. There are over 2.2 million Android based applications in Google PlayStore and over 2 million iOS applications in Apple’s AppStore.
Applications, in general, are becoming a dominant form of digital interaction and hence applications are not just limited to smartphones. Applications are developed and used for wearable devices, for devices connected in Internet Of Things, Smart Cities and Smart homes, etc. These devices communicate with each other via applications which makes security in applications all the more important. Security is critical in applications and therefore applications need to be without any security vulnerabilities, but that is not the case. Application do have security vulnerabilities.
Some of the common security vulnerabilities in mobile applications are explained below.
Weak Server-side Components:
Mobile applications communicate to the servers using APIs. The communication requests from APIs need to be properly verified and authenticated before allowing an access to back-end services. Absence of proper security verification and authentication would lead to security vulnerabilities.
Weak server-side security vulnerabilities include Cross-site scripting and forgery, weak authentication system, injection attacks, etc.
Data Leakage and bad storage practices:
Mobile applications collect a lot of data. Some of the data collected by applications is required for them to function, but there is also unnecessary data collected which is a cause of concern. It is critical that the collection of data by apps doesn’t compromise a user’s privacy. An unsecured app could leak the user’s private data. There have been various researches and studies which show how mobile apps have been collecting user’s personal information and then leaking the same data to agencies or third-parties.
Here are some common ways mobile applications expose user data:
Using a misconfigured or insecure ad and/or analytics framework. A framework which is not properly configured or doesn’t proper security measures could be a potential security vulnerability to collect and expose user’s personal and sensitive information.
Unencrypted data transmission from between the app and the back-end server.
Unnecessary logging by the applications becomes a vulnerable point to expose data to unauthorized third-parties.
Android applications have an option of storing the data on external storage which is a point of vulnerability because the applications cannot trust that files have not been modified.
When users sync their data to a cloud platform which is not secure increases vulnerabilities of exposing the data to unauthorized access.
Weak Encryption & Security Protocols:
Mobile applications become prone to external attacks in absence of strong encryption algorithms and security protocols. Attackers use information stored in the cookies and environment variables to bypass the security and access the data on the mobile device. Mobile applications needs to built with latest and strong encryption algorithms which meet the modern security requirements.
Below are some facts as per HPE 2016 Cyber Security Report:
- 52.1% of applications accessed geolocation data
- 70% of education applications on iOS accessed geolocation data
- 11.5% of applications accessed contacts
- 40.9% of social networking applications accessed contacts
- 19.8% of finance applications accessed contacts
- 16.3% of applications accessed calendar data
- 41.9% of iOS game applications accessed calendar data
- 52% of iOS weather applications accessed calendar data
- 61.7% of applications used ad or analytics frameworks to expose data
- 64.8% of health applications used ad or analytics libraries to expose data
- 53.2% of medical applications used ad or analytics libraries to expose data
- 43.8% of finance applications used ad or analytics libraries to expose data
- 94.8% of applications include logging methods
- 70.6% of applications can access external storage
(Link to the detailed report: https://saas.hpe.com/sites/default/files/resources/files/Mobile%20Report%20ver%2010.2.pdf)
-Captain Krypto 🙂
Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.