Tag: mobile app security

Headline hacks aren’t enough for a mobile security boost

| September 24, 2015

Despite the fact that there have been many high profile cases of cyber attacks, apps remain vulnerable.

A recent study conducted by Bluebox has shown that virtually no travel apps have gone to the extent of adding encrypted data to protect them from mobile security breaches, and several are made with vulnerable code.

Even though there have been countless cyber attacks in recent headlines, added security hasn’t become a priority.

The attacks to companies as large as Target and Ashley Madison could have acted like a mobile security wake up call, but it’s clear that this has not been the case. Even though the evidence is strong that mobile app security is important to consumers, and there is great concern about hacks among companies and individuals, alike, app developers don’t seem to be building it in. Bluebox, a mobile app security and analytics company has conducted an analysis that has shown that the average person is surprisingly vulnerable to hacking through mobile devices.

The focus on the mobile security study was primarily on travel apps, which showed considerable holes.

Mobile Security BoostAmong 10 top Android travel apps, Bluebox found that only one of them had encrypted the data that it was storing on the user’s device. Among 10 of the top iOS travel apps, there wasn’t a single one that had encrypted the data stored on the device. Furthermore, only 2 out of the 10 Android apps that were analyzed and only 1 of the 10 iOS apps analyzed had used certificate pinning. Bluebox explained that certificate pinning is “a key capability for securing app data in transit.”

The lead security analyst at Bluebox Security, Andrew Blaich, explained that among the most important activities of a mobile app is to ensure that it is encrypting data that is written. He also pointed out that “We also want to make sure that the data is not easily accessible at all.” Of all the apps that were analyzed in this study, only one of them had actually employed data encryption.

That said, it was pointed out that in that instance, this mobile security step was “hard-coded into the source code,” which means that it would still be simple for someone to decrypt the data from the source code.

Mobile security flaw places millions of app users at risk

| June 24, 2015

Researchers in Germany have now identified a common weakness in programming practices.

A research team in Germany has now stated that they have found a common poor programming practice that has left a flaw that could lead to a mobile security exposure that risks data breaches for millions of app users.

The method of authenticating users could potentially place the personal data of those individuals at risk.

The flaw in the programming could potentially expose the personal data of the users of the apps in which the developers used those mobile security practices. The reason is because of the method by which the app developers authenticate users during the data storage and retrieval processes with cloud databases, such as the Amazon Web Services and Parse at Facebook. The reasearchers are from the Darmstadt University of Technology and the Fraunhofer Institute for Secure Information Technology.

The researchers identified the mobile security flaw by looking into 750,000 Google Play and Apple Store apps.

Mobile Security threat to many usersWhat the researchers found was that many of them use mobile authentication strategies by way of basic API-tokens, despite the fact that there are other methods readily available that are considered to be notably more secure.

This app development strategy is in direct opposition to the advice for best practices that has been issues by cloud storage providers. According to a statement made by Amazon Web Services, they have been advised of a “small number” of mobile app developers who have apps that hold AWS credentials. It said that it is their belief that those developers have “inadvertently embedded their own AWS credentials within their mobile applications, which could lead to unauthorized use of the developer’s AWS services and data.”

The statement also pointed out that AWS took the step to communicate directly with each of those developers in order to offer them guidance for the removal of their credentials from the apps. They also took the step to “encourage them to carefully examine their AWS resources for unauthorised activity and provide assistance as needed.”

The German team’s leader, Professor Eric Bodden said that this was a significant mobile security issue, as they were able to identify 56 million unprotected data sets.