Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Security Lax Among Mobile Applications From Forbes Global 2000, Survey Finds

A new study from Hewlett-Packard (HP) suggests mobile app developers are leaving security in the dust during the development process.

A new study from Hewlett-Packard (HP) suggests mobile app developers are leaving security in the dust during the development process.

In an analysis of more than 2,100 mobile applications from more than 600 companies within the Forbes Global 2000, HP found that while 97 percent accessed at least one private information source on the device such as a personal address book or social media page 86 percent did not have adequate security measures in place to protect them from exploits such as cross-site scripting and the misuse of unencrypted data.

In addition, 18 percent of applications tested sent user names and passwords over HTTP.  Of the remaining 82 percent, 18 percent incorrectly implemented SSL/HTTPS. Seventy-five percent of the apps did not use proper encryption techniques when storing data on mobile devices. This failure to properly use encryption is one of the most serious types of vulnerabilities present in mobile applications, said Daniel Miessler, principal security architect for HP Fortify.

“As with most security issues, developers usually fail to encrypt their data on the file system or across the network because it’s simply more difficult to do so,” said Miessler.

Beyond the issue of encryption, many developers are not using binary hardening techniques to protect their work. According to HP, 86 percent of applications tested lacked binary hardening and were left open to information disclosure, buffer overflows, poor performance and other issues.

“Security takes a back seat because functionality is king and being fast to market is key,” he added. “Features and functionality are what sell the software for these various companies, and therefore this is where the focus is placed. The solution for achieving better security is to simultaneously educate developers in how to create secure code easily, to integrate security checks into the development lifecycle, and to make the development of applications more secure by default.”

In August, a survey by application security firm Security Innovation indicated that a disconnect between app developers and executives in regard to their views on the maturity of their organization’s secure app development process. While 75 percent of executives agree that defined secure architecture standards exist in their organization, only 23 percent of technicians and 35 percent of staffers thought so. In addition, 43 percent of the respondents said their organization had a defined software development process in place. Of these, only 69 percent adhere to the defined process, while 21 percent said their organization doesn’t and 10 percent were unsure.

“While mobile devices are becoming more and more critical to conducting business, they are also becoming prime targets for attack, with vulnerable applications providing access to sensitive data,” Mike Armistead, vice president and general manager for Enterprise Security Products for HP Fortify, said in a statement. “Mobile applications now are the first line of defense against the adversary and organizations must be equipped to assess, assure and protect these applications to prevent damage from exploits.”

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...