Checkmarx and AppSec Labs have released a new mobile app security titled “The State of Mobile Application Security 2014-2015”. Among the findings of the report is that the typical app is exposed to an average of 9 different vulnerabilities. The report also indicates in situations where vulnerabilities are built into the code or application logic, the vulnerability of iOS and Android Applications are almost identical.
During 2014-15, AppSec Labs and Checkmarx tested hundreds of mobile applications of all types including banking, utilities, retail, gaming and security oriented applications. Among the types of applications tested were banking applications of high-street retail banks which access the personal data of millions of private individuals. Even those applications, which undergo rigorous security testing, were found to suffer from critical vulnerabilities such as faulty authentication, data leakage and more.
Among the goals of the research were to find just how secure the average mobile applications are and how severe were the security issues? The report wanted to find out what were the main security issues mobile app developers should be aware of and how can the development community take action in order to improve application core security.
Some of the reports top findings include:
- Each app is exposed to an average of 9 different vulnerabilities, 38% of which are critical or high severity.
- 40% of detected vulnerabilities in iOS applications were found to be critical or high severity compared to only 36% on Android.
- 50% of vulnerabilities are either personal/sensitive information leakage or authentication and authorization faults.
The report recommends the following mitigation practices for developers to use to improve app security:
Availability
- Perform Input validation on all received intents and ignore badly formatted intents.
- Catch all exceptions, in order to block a DoS attack using system exceptions.
Authentication/Authorization
- Never trust the client. Ensure the user who requests any page/action has the legitimate permissions by validating the session permission in the server side.
- Allow the system users 3-5 failed login attempts. If the user fails more times than the allowed amount, deploy an active CAPTCHA mechanism or an alternative solution.
- Consider implementing two-factor authentication.
Cryptography Weaknesses
- Due to the sensitivity of information (example – user and pin code) the server must require the transport layer to be over SSL/TLS.
- It is recommended to use AES128/256 instead of RC4.
Information Disclosure
- Use extreme obfuscation in order to prevent an attacker from retrieving useful data from the APK file.
Personal\Sensitive information Leakage
- Do not store sensitive information on device.
Configuration Management
- Since configuration issues vary from application to application it is important to implement a control mechanism which will assure adequate configuration management.