Arxan, an app security company, reviewed 126 of the most used apps in health and finance categories. The results showed that 9 out of 10 apps (90%) had the same connection – critical security vulnerability. And the scary thing is that consumers do not realize just how many apps are truly a threat to their security.
This information was released in Arxan’s 5th annual State of App Security Report where they indicated the gap between the levels of security mobile apps are thought to have and their real security levels. John Pironti, a security expert, stated the results did not shock him, as they resembled the 1990s situation with the .com explosion.
Pironti said, “Expectations are that the innovation creates large amounts of benefits and values and that smart solution producing vendors are working to create proper security.”
There were 1,083 people surveyed by Arxan from various countries, including the UK, US, Japan, and Germany. Out of those who responded, 268 were IT executives, while 815 were consumers. The 126 apps that were chosen for testing also derived from the same countries: UK, US, Japan, and Germany.
The results of the survey showed that 87% of the executives and 86% of the consumers thought the apps they used in the tests were “secured adequately.” Meanwhile, 87% of the executives also stated they felt that “everything was being conducted” in order to protect the apps. However, only 57% of consumers thought the same way. Nevertheless, when being asked about likeliness of their app being hacked in the following months, 48% of consumers and 46% of executives answered “yes.”
When the apps were examined, the responses proved to be not quite on the spot. A massive 90% of the apps were vulnerable to two or more of the OWASP Security Project’s Top 10 mobile risks. Here is the list:
- Having a weak server side control
- Having insecure data storage
- Having insufficient transport layer protection
- Unintended information leakage
- Having poor authentication and authorization
- Having broken cryptography
- Client side Injections
- Using untrusted input for security choices
- Improperly handling sessions
- Poor binary protection
When breaking the app genres down, the results were about the same.
84% of the FDA-approved health apps were found vulnerable to at least two of the ten risks. 80% of them were also NHS-approved. Meanwhile, 98% lacked binary code protection, which could allow for reverse engineering, while 84% showed poor transport layer protection.
When it came to the financial section, Arxan determined that 84% of the cyber-attacks occurred on the application layer. 92% of the financial apps had vulnerabilities to at least two out of ten risks.
When asking respondents if a known vulnerability would cause them to switch apps, or if competitor apps had higher security, 80% stated they would make the change. Although, it was pointed out by IBM that recent research they conducted showed that 50% of mobile app companies do not have a budget for security. Additionally, an IBM-sponsored report determined that there were almost 12 million mobile devices that were infected by malicious code at some point.
When it came to the executives, the report suggested setting higher expectations regarding security and improving the weakest links, as security can be competitive advantage. The report also suggested that users only download apps using authorized sources and avoid rooting or jailbreaking devices. Additionally, consumers should be demanding transparency about the security of the apps.
Possibly the biggest way for executives and end users to influence mobile app vendors to improve security measures is to target their pockets.
Pironti said, “They can demand organizations as well as developers to include the results of an independent assessment using an unbiased third party that would indicate they are offering a reasonable level of security. In situations where they face a refusal, end users should opt for shopping with vendors who would meet their demands.”