A new Checkmarx and AppSec Labs study has some upsetting revelations about mobile security
A report that cybersecurity experts Checkmarx and AppSec Labs released today has found a set of critical flaws in how developers are writing code for mobile apps that could put a lot of people at risk.
Over the course of the past year, these two companies carried out an audit of hundreds of mobile apps, testing them for vulnerabilities. Among those reviewed were banking apps and others containing essential personal information.
Their review found an average of nine vulnerabilities per app. In speaking with Amit Ashbel from Checkmarx, he notes that while some of the holes in security that turned up could be considered low level threats, a shocking 38% actually posed a significant risk and could cause serious damage to users.
Founded in 2006, Checkmarx works with over 700 clients to identify vulnerabilities in coding from the start, working with developers to offer solutions that they say can save time while producing more secure apps.
Why the mobile industry is lagging behind on security
In speaking with Ashbel, he explains that the root cause of many of these issues stems from vulnerabilities that were written into the code during the development stage. These vulnerabilities can later be exploited by hackers after the product has been released, endangering a company’s data.
He says that most developers never pick up on the basic elements of how to write secure code while they are at school, so they are unaware of security best practices once they enter the job market.
Another issue that he points to is a general lack of awareness in the industry of how widespread this issue really is, and the potential costs that it can have on a company in the long run.
This problem shows itself in the tension between developers and security teams, with the first being focused on what Ashbel calls functionality and finishing the project on deadline while the latter is more concerned with putting out a more secure product, even if it means delays.
What is worse is that many of these poor practices for writing code have already been identified, and yet developers continue to make these mistakes, which are showing up in far too many apps on the market.
iOS or Android – who is more secure?
The short answer to this question is that neither is really that secure upon closer inspection. “The mobile application industry as a whole is lagging behind on secure coding best practices,” says Ashbel.
He explains that there is a myth that iOS devices are harder to hack. However, Ashbel says that in fact the study turned up far more vulnerabilities on code for iOS apps when compared with Android. What he says is protecting many of the Apple devices is their App Store — which is guarded like a fortress — and the way that the company manages which apps are allowed to be uploaded into their ecosystem. On the other hand, Android devices’ inherent flexibility often puts them at risk due to the more open system.
While Apple may have built the walls high around their App Store, its efforts may likely be for naught as hackers find other avenues to penetrate their defenses. Miscreants can successfully target weaker points of entry like the servers, various web channels, or even the app itself.
Gaps in an app’s security design can at times be face-palm-inducing. In one example that Ashbel has written about, Starbucks’ app threw simple encryption out the window by storing a user’s password in plain text. Anyone who opened the app could easily see what the password was, negating the need for any actual hacking to take place.
Recommendations for improving security practices
The report highlights a few key areas that they believe can significantly reduce the severity of the vulnerabilities facing the mobile industry today.
First and foremost they want to educate developers on how to implement best security practices into the development life cycle. Ashbel tells Geektime that increasing awareness of this issue is the responsibility of both the developers and their companies.
Second, companies must test code while it is still in the development stage. He explains that it is much cheaper for a business to find problems in an app before it is released rather than later when data can be compromised and users put at risk. Checkmarx’s solution works to automatically test code for vulnerabilities throughout its development, alerting the team to which changes in the flow of the code are necessary for creating a more secure product.
Finally, Ashbel says that he hopes to change the way that developers view the severity of vulnerabilities. Just as a team would look for bugs before releasing a new app, they need to look at security risks with the same seriousness, if not more so.