Which is safer – iPhone or Android?
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

iOS v. Android. Photo Credit: Apple and Android

iOS v. Android. Photo Credit: Apple and Android

A new Checkmarx and AppSec Labs study has some upsetting revelations about mobile security

A report that cybersecurity experts Checkmarx and AppSec Labs released today has found a set of critical flaws in how developers are writing code for mobile apps that could put a lot of people at risk.

Over the course of the past year, these two companies carried out an audit of hundreds of mobile apps, testing them for vulnerabilities. Among those reviewed were banking apps and others containing essential personal information.

Their review found an average of nine vulnerabilities per app. In speaking with Amit Ashbel from Checkmarx, he notes that while some of the holes in security that turned up could be considered low level threats, a shocking 38% actually posed a significant risk and could cause serious damage to users.

Founded in 2006, Checkmarx works with over 700 clients to identify vulnerabilities in coding from the start, working with developers to offer solutions that they say can save time while producing more secure apps.

Image credit: Chechmarx & AppSec Labs

Image credit: Checkmarx and AppSec Labs

Why the mobile industry is lagging behind on security

In speaking with Ashbel, he explains that the root cause of many of these issues stems from vulnerabilities that were written into the code during the development stage. These vulnerabilities can later be exploited by hackers after the product has been released, endangering a company’s data.

He says that most developers never pick up on the basic elements of how to write secure code while they are at school, so they are unaware of security best practices once they enter the job market.

Another issue that he points to is a general lack of awareness in the industry of how widespread this issue really is, and the potential costs that it can have on a company in the long run.

This problem shows itself in the tension between developers and security teams, with the first being focused on what Ashbel calls functionality and finishing the project on deadline while the latter is more concerned with putting out a more secure product, even if it means delays.

What is worse is that many of these poor practices for writing code have already been identified, and yet developers continue to make these mistakes, which are showing up in far too many apps on the market.

iOS or Android – who is more secure?

The short answer to this question is that neither is really that secure upon closer inspection. “The mobile application industry as a whole is lagging behind on secure coding best practices,” says Ashbel.

Image credit: Chechmarx & AppSec Labs

Image credit: Checkmarx and AppSec Labs

He explains that there is a myth that iOS devices are harder to hack. However, Ashbel says that in fact the study turned up far more vulnerabilities on code for iOS apps when compared with Android. What he says is protecting many of the Apple devices is their App Store — which is guarded like a fortress — and the way that the company manages which apps are allowed to be uploaded into their ecosystem. On the other hand, Android devices’ inherent flexibility often puts them at risk due to the more open system.

While Apple may have built the walls high around their App Store, its efforts may likely be for naught as hackers find other avenues to penetrate their defenses. Miscreants can successfully target weaker points of entry like the servers, various web channels, or even the app itself.

Image credit: Chechmarx & AppSec Labs

Image credit: Checkmarx and AppSec Labs

Gaps in an app’s security design can at times be face-palm-inducing. In one example that Ashbel has written about, Starbucks’ app threw simple encryption out the window by storing a user’s password in plain text. Anyone who opened the app could easily see what the password was, negating the need for any actual hacking to take place.

Recommendations for improving security practices

The report highlights a few key areas that they believe can significantly reduce the severity of the vulnerabilities facing the mobile industry today.

First and foremost they want to educate developers on how to implement best security practices into the development life cycle. Ashbel tells Geektime that increasing awareness of this issue is the responsibility of both the developers and their companies.

Second, companies must test code while it is still in the development stage. He explains that it is much cheaper for a business to find problems in an app before it is released rather than later when data can be compromised and users put at risk. Checkmarx’s solution works to automatically test code for vulnerabilities throughout its development, alerting the team to which changes in the flow of the code are necessary for creating a more secure product.

Finally, Ashbel says that he hopes to change the way that developers view the severity of vulnerabilities. Just as a team would look for bugs before releasing a new app, they need to look at security risks with the same seriousness, if not more so.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email
Gabriel Avner

About Gabriel Avner


Gabriel has an unhealthy obsession with new messaging apps, social media and pretty much anything coming out of Apple. An experienced security and conflict consultant, he has written for The Diplomatic Club, the Marine War College, and covers military affairs with TLV1 radio. He mostly enjoys reading articles wherever his ADD leads him to and training Brazilian Jiu Jitsu. EEED 44D4 B8F4 24BE F77E 2DEA 0243 CBD1 3F7C F4B6

More Goodies From News


Toong inks strategic partnership to help Singapore companies enter Vietnam

Russia in talks with US to create cybersecurity working group

FBI warns parents: Internet-connected toys can spy on your kids

  • John

    Thanks to the AOSP, I feel much safer on Android. Apple spies on their users, doesn’t tell them about it, and does everything in secrecy.

    On android, I can run a custom ROM and speak with volunteer developers who I trust and who understand the hardware.