Despite the fact that there have been many high profile cases of cyber attacks, apps remain vulnerable.
A recent study conducted by Bluebox has shown that virtually no travel apps have gone to the extent of adding encrypted data to protect them from mobile security breaches, and several are made with vulnerable code.
Even though there have been countless cyber attacks in recent headlines, added security hasn’t become a priority.
The attacks to companies as large as Target and Ashley Madison could have acted like a mobile security wake up call, but it’s clear that this has not been the case. Even though the evidence is strong that mobile app security is important to consumers, and there is great concern about hacks among companies and individuals, alike, app developers don’t seem to be building it in. Bluebox, a mobile app security and analytics company has conducted an analysis that has shown that the average person is surprisingly vulnerable to hacking through mobile devices.
The focus on the mobile security study was primarily on travel apps, which showed considerable holes.
Among 10 top Android travel apps, Bluebox found that only one of them had encrypted the data that it was storing on the user’s device. Among 10 of the top iOS travel apps, there wasn’t a single one that had encrypted the data stored on the device. Furthermore, only 2 out of the 10 Android apps that were analyzed and only 1 of the 10 iOS apps analyzed had used certificate pinning. Bluebox explained that certificate pinning is “a key capability for securing app data in transit.”
The lead security analyst at Bluebox Security, Andrew Blaich, explained that among the most important activities of a mobile app is to ensure that it is encrypting data that is written. He also pointed out that “We also want to make sure that the data is not easily accessible at all.” Of all the apps that were analyzed in this study, only one of them had actually employed data encryption.
That said, it was pointed out that in that instance, this mobile security step was “hard-coded into the source code,” which means that it would still be simple for someone to decrypt the data from the source code.
Wireless companies have been asked to begin making the alterations following a device theft study.
While smartphones are incredible and convenient, a recent study on the theft of these devices has caused the FCC to start requesting that mobile security changes be made by wireless companies in order to help to better protect consumers.
Thefts of smartphones have become increasingly common and increasingly devastating to the owners.
As theft is on the rise with smartphones, the FCC has been seeking out ways to provide better mobile security in order to protect consumers when their devices leave their hands and end up in the hands of someone whose intentions aren’t good ones. Earlier in 2014, the FCC created a working group that has been analyzing data on the subject of mobile device theft. Last week, they issued a massive 140 page report on the topic that included a number of key findings about the handling of smartphone theft as well as about its prevention.
This type of mobile security research was a challenging undertaking, as nationwide data has never been made available.
National level data about smartphone theft has never existed before. The data about stolen mobile devices has been broken down into the approximately 18,000 different law enforcement agencies that operate across the United States. This made a notable challenge out of aggregating the data. Conversely, the total number of incidents may not be as high as the best estimates that have been created by consumer advocates. However, there could also be many thefts that have occurred but that have not been reported.
The next challenge that was faced was in terms of discovering what happens to stolen smartphones. Clear data was not available outside of anecdotal evidence, that suggested that a notable proportion of stolen smartphones are resold in countries “that are both geographically and politically remote from the U.S,” said the report from the FCC. This means that the issue of reducing this problem would require considerable international cooperation.
The FCC is now recommending that wireless companies take a number of mobile security steps, which include: making restore/wipe/lock functions a default on all devices sold, add electronic unique identifiers (like fingerprints) for phones to make it harder for thieves to re-flash them, making sure that employees double-check appropriate databases to ensure that new customers aren’t activating previously stolen property, and keeping those databases up to date.
