Mobile application security fails to improve: report
By Chantal Tode
March 2, 2016
Application developers give a lot of lip service to how they safeguard users personal data, but little actual improvement has been made in the past couple of years, according to a new report from Hewlett Packard Enterprise.
The mobile app space has come up so quickly that meeting growing demand sometimes comes at the expense of putting the proper security measures in place, as evidenced by the Ashley Madison breach in 2015. Little progress is being made, with HPEs study finding that 96.3 percent of 36,000 apps reviewed were flagged in at least one of 10 privacy checks.
One of the most surprising findings from the report is that many applications are accessing data thats not necessary to the functionality of that app, putting that data at risk if it should fall into the wrong hands, said Maria Bledsoe, senior product marketing manager for HPE Security Fortify at Hewlett Packard Enterprise. For example, more than 50 percent of the applications HPE Fortify on Demand scanned for this study accessed geolocation data.
This can create serious privacy implications in the event of an attack, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users, she said.
Additionally, HPE found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
Data collection goes awry
This is HPEs second mobile app security study. The first was published in the fall of 2013 and found that 97 percent of 2,000 apps reviewed accessed private information.
The situation has not improved in the more than two years since, despite significant industry focus on the topic. HPE found that personal information such as contacts, calendar data and geolocation information are being broadly accessed beyond the need for such data to operate an app.
App users geolocation data is being collected by 52.1 percent of apps, a significant potential privacy violation when you consider that Ashley Madisons storage of such data enabled a reporter to pinpoint the location of otherwise anonymous users. What is more, the report found that more than 70 percent of iOS education apps, which are often marketed to children, access geolocation data.
Additionally, 11.5 percent of apps access users contacts and 16.3 percent access calendar data. The apps collecting this information are not necessarily what would be expected, with 19.8 percent of finance apps collecting contacts, 41.9 percent of iOS games and 52 percent of iOS weather apps collecting calendar data.
App developers also often use third-party ad and analytics frameworks, potentially exposing sensitive data is extra care is not taken. Areas where data is commonly exposed by these third parties include in caches, temporary files, system logs, URLs and unencrypted transmissions to backend servers.
HPE recommends that developers collect only the minimal amount of data that is necessary, check the device and application sandbox for files written by third-party frameworks and review them for sensitive data.
The report also found that 94.8 percent of apps include logging methods. Unnecessary logging can potentially expose data to unauthorized third parties, developers need to understand that logging can be part of the package when third-party code is included in an app.
HPE recommends developers use macros to remove logging statements and frequently review the system log.
Other tips include using a static analyzer to identify code paths where data could be leaked, analyzing apps during and after use and reviewing interactions with third parties.
Throughout the app development process, it is crucial to code securely, and security test early and often, Ms. Bledsoe said. Building security in from the very beginning is the surest way of securing mobile applications.
Its significantly less expensive to build security into the development process than to add security to mobile applications already in production, she said.