Mobile apps: Insecure by default
By Taylor Armerding
They are the best of apps. They are the worst of apps. At the same time. Mobile applications have unlocked a world of almost magical convenience, communication and creativity. With a few swipes or taps on your smartphone you can buy food, clothes or just about any other product, pay your bills, chat with your friends, watch your far-away nieces, nephews or grandkids grow, monitor your exercise goals, take video and stills of your vacation, listen to your favorite podcasts or music and more. Ever so much more. You can even turn your smartphone into a flashlight or use it to tune your guitar.
But then, mobile applications can also unlock your personal, medical and financial information to hackers. They can make it possible for criminals to drain your bank account, eliminate your privacy—pretty much ruin your life.
And that is all, or at least mostly, because the large majority of mobile application developers spend their time and money hoping to dazzle their customers with bells and whistles, not on protecting those customers. Their apps are feature rich and security poor.
So it is no surprise that yet another research report—this one from Positive Technologies—finds that they are a high-risk convenience.
The company studied 17 mobile apps and reported finding high-risk vulnerabilities in 43% of the Android apps and 38% of those for iOS.
As noted, this simply confirms what others have found. The Naked Security blog provided a partial list: “The news won’t come as much of a shock to anyone who has read GPEN’s 2014 study of app privacy failings; IOActive’s 2013 study of banking app security, nor its follow up in 2015 nor its investigation of stock trading app security in 2017; nor Arxan’s 2019 look at banking and finance app security.”
Among the highlights—or lowlights—of the report:
- Insecure data storage is the most common problem, found in 76% of mobile apps, putting passwords, financial information, personal data, and correspondence at risk.
- 89% of vulnerabilities can be exploited using malware, which means hackers rarely need physical access to a smartphone to steal data.
- Most vulnerabilities are the result of weaknesses in security mechanisms, not just in the apps themselves but on the server, which is hosted by the developer and with which apps communicate. The researchers found such weaknesses in 74% of apps for iOS and 57% of Android apps, with 42% for server-side components.
And they noted, “Because such vulnerabilities creep in during the design stage, fixing them requires significant changes to code.”
User carelessness can play a role as well. “Many cyberattacks rely on user inattention. Escalated privileges or sideloaded software can pave the way for a damaging attack,” the report said.
Why are mobile apps so insecure?
All of which raises the usual, fundamental questions: Why is insecurity so rampant on apps that are carried on billions of mobile devices? And what can be done about it?
The answer to “why” is pretty much what it has been since applications became mainstream. Amit Sethi, senior principal consultant at Synopsys, notes that it is not just mobile apps that are riddled with vulnerabilities. “Most developers tend to focus on features, performance, usability, etc. because the requirements they are implementing tend to focus on those areas,” he said. “Also, there is always a rush to get features implemented, and security is often neglected.”
Phillip Dunkelberger, president and CEO of Nok Nok Labs and a founding member of the FIDO (Fast IDentity Online) Alliance, an organization that seeks to replace passwords with other, multiple forms of authentication, put the question to members of his team. Among the responses: “App developers often focus on the features that are most ‘relevant’ from a business perspective. Competing against convenience, usability and more, security sometimes does not make the top of the list.”
Or as Grant Douglas, associate principal consultant at Synopsys, put it, the existing incentives don’t promote mobile application security. “Developers are not only not incentivized, but security isn’t always something a developer is exposed to through study and training,” he said.
In short, even with breaches and privacy violations in the headlines daily, the market incentives are still to get a feature-rich app into production as quickly as possible. If mobile app security is a casualty of that, so be it—the priority is not letting a competitor get to the market first.
The irony, as any good security experts will tell you, is that good security doesn’t slow development down. It can actually speed it up.
Yes, it can look both time-consuming and expensive. Sethi notes that creating secure apps “requires performing different activities during different phases of the software development life cycle (SDLC), such as threat modeling, static analysis, dynamic analysis, etc.”
To that, developers should add software composition analysis (SCA), which helps developers find and fix any vulnerabilities or license problems with open source software components.
Make it easy to build mobile app security in
But there are tools to help with those tasks. “Security teams can provide developers with easy ways to do the right thing,” Sethi said. “They can create libraries that make it easy for developers to implement functionality in secure ways.”
And Douglas said developers are increasingly open to “building security in” to mobile apps during the SDLC, especially when it can be a more seamless part of the process. At least some of them also see the long-term benefit—it takes less time and money to fix vulnerabilities early and throughout development than to try to patch dozens to hundreds of bugs that penetration testers find just before an app is due to go into production.
“Many frameworks exist for mobile platforms that cover security concerns and allow developers to abstract themselves from some of the more challenging decision/implementation woes,” he said.
Thomas Richards, principal consultant at Synopsys, agreed. “Designing security in is the best approach and is also the cheapest,” he said. “Setting security requirements early on and performing threat modeling can eliminate many security issues before code is written.”
Not getting the message
But, as yet another study finds, the message isn’t getting through enough of the time. Billions of people are walking around with a virtual data bomb—dozens of bombs—in their pocket. According to App Annie, the average smartphone user has 60-90 apps installed on his or her phone, uses around 30 of them each month and launches nine per day.
What will it take to change the current reality? Users could demand better mobile app security. “If they are willing to pay more for solutions with robust security than for ones without, organizations will take action,” said Dunkelberger’s team member.
But the reality is, they haven’t yet and likely won’t. As Bruce Schneier, blogger, author and CTO at IBM Resilient Systems said years ago while lobbying for more aggressive government regulation of Internet of Things (IoT) security, consumers “don’t care because they don’t know enough to care.”
Other solutions for mobile app security
So, other options? Dunkelberger’s colleague offered two: “Entities with regulatory power, such as App Store providers like Apple or Google, or government regulatory entities, must require a minimum level of security. And a practical approach would be to change the platform APIs [application programming interfaces] that are secure by default.”
Enable developers to build security into mobile apps
Douglas agrees that while users bear some responsibility for their own security while using apps on their mobile devices, such as using secure passwords and not installing apps from untrustworthy sources, “the onus does fall mostly on the developers. They control how and where data gets stored, how long it gets stored, how secure that data is. The developers control how authentication works, how frequently the user has to re-prove their credentials, etc.”
Zach Lanier, principal research consultant at Atredis Partners, said beyond making security part of design, development and testing, developers should educate themselves “on the benefits and shortcomings of their stacks—everything from the languages and frameworks they use to the security features of the platform(s) on which they build—and ensuring they take advantage of those features where possible.”
Do authentication better
Most experts agree that for both developers and users, the only way to make mobile app security mainstream is to make it easy. Convenience will trump security every time.
Lanier said part of that is transparency—that developers should notify users “about what changes or updates they make, especially as it relates to addressing any security issues that have been identified.”
For Dunkelberger, one practical way to do that is to make authentication more robust with that method
“With FIDO, the API is crafted carefully to be secure by default, and the authenticator is implemented by the platform, supporting various methods to verify the user—not only PIN, but also biometrics,” he said. “Additionally, the authenticator can ask the user to provide the required verification data—taking the mobile app out of that equation.”
Better authentication is indeed one significant way to improve mobile app security. But as Richards notes, it is still the responsibility of developers “to develop their application securely and consider security risks early and often while developing and supporting the application.”
And we’re still waiting for that to happen.