News

Security Report Details Top iOS, Android Vulnerabilities

• By David Ramel
• July 19, 2017

WhiteHat Security has published its 12th annual report on application security statistics, featuring a new mobile section that details the top issues found in Android and iOS apps.

The "WhiteHat Security Application Security Statistics Report" for the first time features data from NowSecure, whose mobile app security intelligence engine consumes data from hundreds of thousands of assessments based on dynamic or static analyses of Android and iOS apps.

NowSecure identified a security issue in 26 percent (percentages rounded off) of tested Android apps, with the No. 1 reported problem -- found in 90 percent of apps found to have vulnerabilities -- being "allowBackup" flags set to "true," which reportedly could allow attackers to back up a device's app folder and extract private data from the contents.

"If the allowBackup flag is enabled, it could allow for easier access to the app files stored on the mobile device," the report said. "The severity of this issue is 'Medium' and it is caught 90 percent of the time during a static scan of Android apps."

The second-most common issue was a lack of basic obfuscation of source code, which could put intellectual property at risk if someone reverse-engineered an app. The report said that risk -- also classified as Medium in severity -- was caught 80 percent of the time during static scans.

Other data points in the Android section included:

• The top three Google Play categories for apps with security issues were news, games and lifestyle.
• Of tested apps that included a finding, there was an average of 2.28 issues per app.
• NowSecure identified a high-risk security issue in 21 percent of Android apps tested.
• Of those apps that included a high-risk finding, there was an average of 2.36 high-risk issues per app.

On the iOS side of things, the study found cookies being set without a "Secure" flag was the top security issue, found in 30 percent of apps. "A cookie within the app was not marked 'Secure' and therefore may be transmitted over HTTP even if the session with the host is secure," the report said. "The severity of this issue is Medium and it is caught 30 percent of the time during a dynamic scan of iOS apps."

Other issues found were cookies being set without an "HTTPOnly" flag (26 percent) and sensitive data in transit with no encryption (19 percent).

Apple App Store categories with most issues were music, news and finance.

The report pointed out the unique security challenges faced by mobile developers.

"There are visual cues for security and encryption for Web applications (HTTPS, browser warnings) that are not present for mobile apps," it said. "In analyzing the data from the NowSecure mobile app security intelligence engine for this report, the most common findings on both platforms had to do with session-level events, from cookies and session handling to lack of encryption of sensitive data like logins and passwords, and weak key size."

The mobile app security posture is further threatened by mobile development often being done faster and with less concern about security than traditional Web applications, the report said.

There are also other challenges specific to mobile development.

"An average phone connects to over 160 different IP addresses during the day, with about a third of the information flowing in and out of a phone unencrypted (SMS, some emails, etc.)," the report said. "Within Android, for example, there are 'normal' permissions that are granted by the system when requested by an application, and other, more 'dangerous' permissions that are granted by the user. In terms of what an app will share with other apps, the developer needs to carefully implement the appropriate limitations, keeping in mind the idea of least privilege."

The full report, which includes many more sections in addition to mobile, contains aggregated data from actual code-level analysis of billions of lines of code in Web sites, Web applications and mobile apps, said WhiteHat Security, which used its Sentinel tool to inspect applications, components and shared libraries. The report contains data collected in 2016 by analyzing 15,000 Web applications and more than 65,600 mobile apps.