HP Study Criticises Mobile App Security

Nearly all mobile applications present a risk to users, according to a new report from Hewlett-Packard’s software division. In a study of 2,107 applications published by 601 companies on the Forbes Global 2000, HP found that 97 percent of the apps in some way accessed private information on the user’s device.

HP scanned applications to see which ones were accessing private information, and then tested the applications that accessed private information for security vulnerabilities, Maria Bledsoe, HP senior manager for product marketing, told eWEEK. “While some of these apps may have a legitimate reason to access private information, the addition of security vulnerabilities puts that private information at risk,” Bledsoe said.

Protections lacking

The HP study found that 86 percent of mobile apps do not use proper binary protections, which can shield applications against memory overflow attacks and can also restrict the ability of attackers to reverse engineer code which could then potentially be exploited.

Adding further insult to injury, HP’s analysis indicated that 75 percent of the surveyed mobile apps do not properly leverage data-encryption techniques for user data. As to what techniques developers should employ, Bledsoe said that there are specific implementation options based on the mobile operating system version.

“The key point is that developers should use their operating system’s recommended method of encrypting data as opposed to writing to the file system without encryption or using a custom implementation,” Bledsoe said.

Encryption is also a weak link for data in transit, from the mobile device to the Internet. Since the beginning of the Internet era, Secure Sockets Layer (SSL) encryption has been the cornerstone of web security for servers and desktops. SSL is also a must-have technology on mobile devices, though it is not being correctly implemented, according to HP’s data.

The HP study found that of the 82 percent of apps that employ SSL, only 18 percent actually use it correctly. The incorrect usage of SSL can enable an attacker to intercept traffic and perform a man-in-the-middle attack.

Essential security measures

From HP’s perspective, given the flaws found, Bledsoe stressed that building in security measures from the start is essential to application security.

“Even if an application is built by a third party, running a security assessment test before procuring or releasing a mobile application can help find and remediate a majority of vulnerabilities,” Bledsoe said. “By prioritising security early in the application development, security flaws can be resolved before deployment.”

For the study, HP used its own Fortify on Demand (FoD) scanning technology to test the apps. HP’s FoD for Mobile is designed to give corporations a look into mobile apps’ privacy and security flaws while remaining low cost, requiring less time, and not requiring source code, Bledsoe said.

Do you know all about HP, the IT firm from the garage? Take our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago