Bad news for app developers: according to a recent WhiteHat report, some 85% of mobile apps violate one or more of the Open Web Application Security Project (OWASP) Mobile Top 10. In other words, 85% of apps have security vulnerabilities that could be exploited.
According to techrepublic.com, the most common risk identified was insecure data storage–around half of the 15,000 apps analyzed in the report violated the OWASP standard there. “This means,” says techrepublic, “they may include data leakage in local files and systems logs, client-side injection, and weak server-side controls.” Notably, Android apps had a higher rate of violations here than iOS apps did.
Next up were violations of the OWASP standard for insecure communication, of which nearly half of all apps were guilty. Surprisingly, “some 30% of iOS apps still use insecure HTTP, and more than 50% of iOS apps do not use the recommended Application Transport Security method for secure encrypted communications,” according to the report.
There was good news in the report, too: as techrepublic states, “very few mobile apps tested had CVSS-scored vulnerabilities, meaning developers are better at implementing access control and protection in mobile apps.”
Perhaps the biggest lesson here is that IT security personnel must be extremely diligent in vetting third-party applications, and in developing first-party ones. A mobile strategy can certainly help increase productivity (among many other gains), but it’s essential first to ensure that the apps you’re sharing are indeed as secure as they say they are. It’s critical, too, to have practices in place for monitoring risk.
If this is scaring you into thinking you shouldn’t use mobile apps in your business, don’t let it. Our message here is not one of doom and gloom, but of the importance of due diligence, robust security practices, and of course, sound mobile app management at the enterprise level. Diligence in which apps you allow employees access to and keeping them up-to-date is just one method of more effective control. It’s certainly concerning that WhiteHat found such a prevalence of OWASP violations, but the good news is that these problems can be fixed and managed.
If you’d like to learn more about how a robust mobile app strategy–paired with App47–can help you navigate the challenges outlined here, email us at info@app47.com today.