Report: Apple, Android Apps Riddled With Coding Flaws

Poorly implemented encryption and a bevy of Web application vulnerabilities in Google Android and Apple iOS apps open them up to determined attackers, according to an analysis of mobile application security conducted by Veracode.

The Burlington, Mass.-based application security vendor issued the latest vulnerability statistics in fifth volume of its State of Software Security report, issued this week. The firm said cryptographic vulnerabilities coded into apps impact both platforms. Encryption problems affected 64 percent of Android applications and 58 percent of iOS apps, Veracode found.

"Cryptographic issues significantly weaken data protection," Veracode said in its report. "Attackers with physical control of a mobile device for a small amount of time can jailbreak it and install a backdoor with keyloggers or other malware and/or copy the content."

[Related: 6 Steps To Address BYOD: A Security Management Roadmap ]

Security experts have long warned about the poor coding found in mobile applications. The coding problems are the result for a number of cited reasons, from rushing out mobile apps too quickly to the idea that mobile application security is easier, opening up the practice to inexperienced coders who sometimes copy and paste code from other apps that contain vulnerabilities. Campbell, Calif.-based application security vendor Cenzic found similar mobile application flaws in a report issued last month.

The Veracode analysis found Android and Apple application vulnerability types to be slightly different. Veracode said the differences in the frequency of coding errors stem from the programming language used. Apple iOS apps are coded in Objective C, and Android apps are Java-based.

Apple iOS apps are more susceptible to error handling and credentials management than are Android applications, according to the Veracode analysis. Poorly implemented error handling when problems occur in the app at runtime can be a hole used by an attacker. Meanwhile credentials management can open an opportunity for an attacker to steal authentication tokens and access sensitive data.

Meanwhile SQL injection and code quality issues were found more frequently in Android applications, Veracode said. SQL injection, a common website vulnerability, can be used by an attacker passing malicious SQL statements in the field of an application in an attempt to gain access to sensitive data.

Veracode also reviewed Java ME apps created for the BlackBerry 10 platform, but the set of apps created for the platform at the time of its review, which examined apps between January 2011 and June 2012, was too small, opening up the results to variability. So far, the Java ME apps it tested appear to reflect similar vulnerabilities in apps designed for the platform, the firm said.

NEXT: Vetting iOS, Android Apps

The iOS and Android platforms use code signing to validate the veracity of an application. Sandboxing also limits exposure to the underlying device processes. Both companies oversee a controlled mobile application store, but security firms have identified malicious apps getting past the vetting process in both stores. Apple doesn't say how it vets apps for security. Google uses Bouncer, a static analysis code-scanning tool to check its apps.

"Both iOS and Android platforms have built in security features such as kill switches to remove identified malware applications from mobile phones," Veracode said. "Since the risk and attack models are slightly different, enterprises should consider a multi-pronged approach to applying preventative security controls."

Veracode said enterprises could set up an app store, supporting a zero-trust model for adopting mobile applications. All apps would be treated as potentially malicious until they are thoroughly reviewed for bugs and the kind of data they collect.

PUBLISHED APRIL 11, 2013