HP: Mobile Apps Aren't Secure, Allow Access to Private Data
Nearly all mobile applications present a risk to users, according to a new report from Hewlett-Packard's software division. In a study of 2,107 applications published by 601 companies on the Forbes Global 2000, HP found that 97 percent of the apps in some way accessed private information on the user's device.
HP scanned applications to see which ones were accessing private information, and then tested the applications that accessed private information for security vulnerabilities, Maria Bledsoe, HP senior manager for product marketing, told eWEEK. "While some of these apps may have a legitimate reason to access private information, the addition of security vulnerabilities puts that private information at risk," Bledsoe said.
The HP study found that 86 percent of mobile apps do not use proper binary protections, which can shield applications against memory overflow attacks and can also restrict the ability of attackers to reverse engineer code which could then potentially be exploited.
Adding further insult to injury, HP's analysis indicated that 75 percent of the surveyed mobile apps do not properly leverage data-encryption techniques for user data. As to what techniques developers should employ, Bledsoe said that there are specific implementation options based on the mobile operating system version.
"The key point is that developers should use their operating system's recommended method of encrypting data as opposed to writing to the file system without encryption or using a custom implementation," Bledsoe said.
Encryption is also a weak link for data in transit, from the mobile device to the Internet. Since the beginning of the Internet era, Secure Sockets Layer (SSL) encryption has been the cornerstone of Web security for servers and desktops. SSL is also a must-have technology on mobile devices, though it is not being correctly implemented, according to HP's data.
The HP study found that of the 82 percent of apps that employ SSL, only 18 percent actually use it correctly. The incorrect usage of SSL can enable an attacker to intercept traffic and perform a man-in-the-middle attack.
From HP's perspective, given the flaws found, Bledsoe stressed that building in security measures from the start is essential to application security.
"Even if an application is built by a third party, running a security assessment test before procuring or releasing a mobile application can help find and remediate a majority of vulnerabilities," Bledsoe said. "By prioritizing security early in the application development, security flaws can be resolved before deployment."
For the study, HP used its own Fortify on Demand (FoD) scanning technology to test the apps. HP's FoD for Mobile is designed to give corporations a look into mobile apps' privacy and security flaws while remaining low cost, requiring less time, and not requiring source code, Bledsoe said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.