Tag: mobile security risks

Mobile security flaw places millions of app users at risk

Researchers in Germany have now identified a common weakness in programming practices.

A research team in Germany has now stated that they have found a common poor programming practice that has left a flaw that could lead to a mobile security exposure that risks data breaches for millions of app users.

The method of authenticating users could potentially place the personal data of those individuals at risk.

The flaw in the programming could potentially expose the personal data of the users of the apps in which the developers used those mobile security practices. The reason is because of the method by which the app developers authenticate users during the data storage and retrieval processes with cloud databases, such as the Amazon Web Services and Parse at Facebook. The reasearchers are from the Darmstadt University of Technology and the Fraunhofer Institute for Secure Information Technology.

The researchers identified the mobile security flaw by looking into 750,000 Google Play and Apple Store apps.

Mobile Security threat to many usersWhat the researchers found was that many of them use mobile authentication strategies by way of basic API-tokens, despite the fact that there are other methods readily available that are considered to be notably more secure.

This app development strategy is in direct opposition to the advice for best practices that has been issues by cloud storage providers. According to a statement made by Amazon Web Services, they have been advised of a “small number” of mobile app developers who have apps that hold AWS credentials. It said that it is their belief that those developers have “inadvertently embedded their own AWS credentials within their mobile applications, which could lead to unauthorized use of the developer’s AWS services and data.”

The statement also pointed out that AWS took the step to communicate directly with each of those developers in order to offer them guidance for the removal of their credentials from the apps. They also took the step to “encourage them to carefully examine their AWS resources for unauthorised activity and provide assistance as needed.”

The German team’s leader, Professor Eric Bodden said that this was a significant mobile security issue, as they were able to identify 56 million unprotected data sets.

Mobile security policy may not be adequate at Social Security

Many believe that there continues to be exposure to considerable weaknesses with this technology.

The results of a review that was conducted on the mobile security levels through the use of smartphones and tablets by employees of the Social Security Administration (SSA) has revealed that there are considerable weaknesses.

It has been stated that a significant reason that this problem exists is due to the lack of a cohesive policy.

This problem and speculation regarding mobile security at the SSA was identified and published in a report by the Office of the Inspector General. What the Inspector General’s office determined was that the federal agency “did not always conform with federal standards and business best practices to mitigate unauthorized access to the agency’s sensitive information.” It determined that as the use of devices such as tablets and smartphones continues to become more prevalent, this represents a vital weakness.

A serious mobile security gap can exist when many common behaviors are adopted by SSA employees.

Mobile Security - Social Security AdministrationWhile it is true that the use of mobile devices give SSA workers the opportunity to accomplish a great deal more, even when they are not sitting at their desks, there are certain behaviors that are considered to be quite commonplace among private device users that can leave a gaping hole in security when used on a professional level. Among them are the downloading of third party apps, as well as accessing the internet over an unsecure network. This spikes the risk of loss or theft of sensitive data.

Among the tests that were conducted on the security of the mobile device use by SSA employees was the copying of a file by the Inspector General’s office to a mobile device. Though the agency’s own standards would have required that this file encrypt itself automatically, this was not the case during the test.

Equally, among the 17 employees of the SSA that were interviewed in this review process, only half showed that they understood that for mobile security purposes, it was important that their agency-provided devices be used exclusively for official government business. Moreover, not a single one of the people who were interviewed were able to identify a policy that was specifically meant to guide them with regards to the use of these gadgets.