This year at the RSA Conference HP officially released its annual Cyber Risk Report. This report is one among many industry reports that individuals and companies who are concerned about security should pay attention to. By paying attention to these trends your company will be better able to secure your IT assets and more effectively allocate IT Security resources in the coming year. This year, Security Compass made a significant contribution by providing some of our mobile assessment data for inclusion in the report. At Security Compass, we see a high volume of mobile apps and are able to get a pretty good snapshot of the state of mobile application security. The HP Cyber Risk Report highlights a number of trends in IT Security, and from our position, Security Compass has a unique insight into the effectiveness and developer adoption of secure coding initiatives in the mobile space.
Information Disclosure is Prevalent
One notable trend in mobile apps is the high number of information disclosure vulnerabilities. Security Compass observed that 77% of the mobile apps assessed were found to suffer from information disclosure. Regardless of the operating system, we were able to find sensitive data being transmitted over the network or left in log data. This percentage is astronomically high, and mobile app developers need to do a better job at protecting customer information.
Use of Secure Element isn’t Always Secure
A high percentage of the mobile assessments conducted by Security Compass in 2012 were mobile banking related apps that made use of a phone’s secure element technology. The secure element allows application developers to obtain a certificate that grants them exclusive access to a specific block of memory on the SIM that no one else will have access to. Through many of our assessments, we found that not all of the banking apps properly implement certificates/signatures when accessing the secure element. This would allow a malicious application to potentially make requests to access the data on the secure element without authorization.
NFC Changes Banking
In addition to the secure element, a number of mobile banking applications are beginning to make use of Near Field Communication (NFC) as a method of payment at NFC-enabled Point-of-Sale terminals. Although we haven’t seen much evidence of exploitation in the wild, enabling NFC for the purpose of mobile banking — and leaving it on permanently — presents a number of additional threats to users and their data. What we are seeing with this technology is the classic trade off between ease-of-use and security. The most common vulnerability Security Compass has found with NFC-enabled applications and devices is that they will perform a number of actions without any prompt at all from the user.
We are seeing that developers want to make their products easy to use so they put the fewest taps/prompts possible into their products. The trade off is that in some devices/applications events can be instigated without any prompting the user. This would mean that if the application doesn’t prompt for a user’s permission while NFC is enabled, all an attacker would need to do is bump your phone to simulate contact with another device to instigate a transfer and obtain your banking data.
XSS More Likely in Web Apps than Mobile Apps
When it comes to Cross Site Scripting vulnerabilities the HP Cyber Risk Report found 44% of web applications vulnerable. Similarly, with mobile apps we found that only 33% were vulnerable to XSS. There are many probable reasons for this discrepancy; most predominantly the fact that not all mobile applications make use of embedded web elements. This makes native apps slightly less susceptible to this type of attack — as they may not utilize JavaScript at all.
Impacts of Multiplatform Applications not Clear
One thing the report doesn’t highlight is the existence of code gaps and vulnerabilities found in applications that are ported from one operating system to another, or apps that are developed a common language and deployed to multiple operating systems. In some assessments, we find the same vulnerabilities in an app across multiple platforms. In other cases, some issues only occur on a particular operating system. In this case we may find that when an app is ported over to a particular operating system that it logs data differently from how it was originally designed. To make quantifiable claims on this issue we would need a much larger data set of applications that are developed for multiple platforms.
We hope this guide and the HP Cyber Risk Report will help you and your company identify IT Security trends relevant to you so you can plan & make better security decisions in the coming year. For more information on this subject, be sure to check out the full HP Cyber Risk Report,or contact Security Compass directly.