An analysis of the thousands of applications reviewed by Web application security firm Cenzic found serious lapses in judgment resulting in gaping holes that could be used by an attacker to siphon off sensitive data from smartphone and tablet owners.
The security firm observed the static elements of the mobile apps and found that 99 percent of them had serious vulnerabilities. Many of the flaws were related to the Web services protocol associated with the mobile application weakening the connection between the mobile app and the back-end systems they're tied into for information, said Scot Parcel, CTO of the Campbell, Calif.-based security firm that focuses on application security and quality assurance.
"Our feeling is that there is so much focus on client-side security that people are forgetting and under-addressing mobile security," Parcel said. "People tend to think of the client app, but we view it as a system where there is a Web service associated with the mobile app, and ultimately that is where all the shared data is stored and can be impacted."
Cenzic's "Application Vulnerability Trends Report 2013" found a variety of errors in mobile applications developed for both iOS and Android platforms. Input validation errors, session management flaws and privacy violations combined to account for 57 percent of mobile vulnerabilities.
Privacy violations are errors that result in disclosing data in unencrypted communications or failing to encrypt sensitive user data stored on the client, Parcel said, adding that it is difficult to implement encryption correctly. Security experts have said that improperly deployed encryption mechanisms are often at the core of data leakage incidents.
Encryption can give a false sense of security if it isn't properly employed and maintained, Parcel said. Still, often-unsecured Web services commonly associated with mobile applications can pose an even bigger risk. Parcel said Cenzic has taken on some large companies that are producing dozens of mobile apps a month and found that securing them has become a painstaking process.
"These mobile apps can sometimes just be promotional or a short-lived app for a conference," Parcel said. "It's hard to put a lot of security attention into something when you know the life span is just a month."
The firm found that 29 percent of the mobile apps were associated with infrastructure weaknesses. The server-side errors were often associated with configuration issues or improper software components being used.
The firm's review of Web applications found that many common coding errors continue to plague them, enabling cybercriminals to use automated tools to target the flaws. The firm found that 61 percent of the applications had Cross-site scripting (XSS) vulnerabilities, and 45 percent had authentication and authorization errors. Web server configuration errors was found in 28 percent of the software, and cross-site request forgery, a vulnerability that allows attackers to send pre-authenticated but unauthorized commands using credentials that the application trusts, was found in 22 percent. SQL injection flaws, a common coding error, came in at just 16 percent, and although it was frequently seen in many Web applications, it wasn't counted multiple times by the firm, Parcel said.
"You'll classically find a lot of XSS because it is really common," Parcel said. "You might find SQL injection with frequency, but you won't find it in the same quantities in the app."
A recent throng of Java zero-day vulnerabilities has shifted focus on software security, but Parcel isn't convinced it's helping make the case for improved software security practices at organizations. The rash of Java coding errors has somewhat "immunized" people, making them indifferent to the problem.
"If it makes organizations take this less seriously, then it continues a trend of not putting enough resources into these things," Parcel said.
PUBLISHED MARCH 7, 2013