More than half of mobile applications are collecting alarming quantities of data, according to Hewlett Packard Enterprise’s HPE Mobile Application Security Report 2016.
The study leveraged HPE Security Fortify on Demand to scan more than 36,000 iOS and Android mobile apps, and revealed the impact of increasing data collection, as well as recommendations for how organizations, mobile application developers and enterprises can build security in to better protect their data.
As mobile applications become more prevalent in the work environment, it’s essential that organizations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise. Adversaries are shifting their focus to mobile platforms, with more than 10,000 new Android threats discovered per day in 2015, and an iOS malware growth rate of more than 230 percent 1.
“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt, vice president and general manager, HPE Security Fortify at Hewlett Packard Enterprise. “With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organizations take a proactive approach to data security to better protect both personal and corporate data.”
Not all apps need to track your location
A majority mobile applications track your location, but not all of them need to. More than 50 percent of the scanned applications accessed geolocation data. This can create serious privacy implications in the event of an attack, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users.
While it makes sense for a traffic application to track location, the study found that more than 70% of education applications on iOS did as well. This is disturbing as education applications are often marketed towards children.
Games and weather applications are collecting calendar data
The report also found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
Logging methods can expose data to unauthorized third parties
During the early development of applications, logging can be critical to the process of correcting buggy code, but once an application is running on a user’s device, it becomes a significant disclosure vulnerability. Approximately 95 percent of the applications scanned included logging methods.
Recommendations for Safe Usage of Mobile Applications
Mobile applications are here to stay, and developers, organizations and consumers alike should be cognizant of how this affects the security of personal and corporate data. HPE recommends the following to enterprises for safe development and usage of mobile apps:
- Build security in – start with secure code. The surest way of securing mobile applications is to code securely in the first place, and security test early and often. It’s significantly less expensive to build security into the development process than adding it to mobile applications already in production.
- Implement automated scans and penetration testing. Organizations should build a holistic approach to their security programs that includes application scanning and penetration testing. Automated scanning helps catch both simple and complex mobile application security mistakes that are being made, while penetration testing can determine the most important vulnerabilities.
HPE SecureData Mobile
To address the increasing need to protect sensitive information in mobile environments, HPE introduced the HPE SecureData Mobile, an end-to-end data encryption solution.
HPE SecureData Mobile expands upon the HPE SecureData product portfolio, enabling organizations to build data security into their mobile applications and safeguard the data throughout its full lifecycle – at rest, in motion, and in use – extending security far beyond traditional technologies such as TLS, VPN, and storage encryption.
HPE SecureData Mobile provides data capture and security from the native iOS or Android mobile application through the entire enterprise data lifecycle and payment data stream. This is important as a majority of mobile applications track sensitive data such as geolocation, according to a HPE Mobile Application Security Report.
The solution leverages HPE Format-Preserving Encryption, a standards-based encryption to make only minimal modifications to existing applications, while providing data security for mobile applications or mobile purchases.
HPE SecureData Mobile ensures organizations remain in compliance with PCI (Payment Card Industry,) PII, PHI and other industry standards. The solution also supports HPE Stateless Key Management architecture, which enables on-demand key generation and re-generation without an ever-growing key store. The result is a system that can be infinitely scaled across distributed physical and logical locations for a low operational and infrastructure cost.