Mobile Apps Remain Vulnerable For Months - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
News
2/24/2015
03:01 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Mobile Apps Remain Vulnerable For Months

Developers are failing to respond quickly to reports of security flaws, Trojans are infecting corporate devices at an alarming rate, and even mundane data about your device's power consumption could threaten your privacy.

8 iOS, Android Apps That Are Strangely Useful
8 iOS, Android Apps That Are Strangely Useful
(Click image for larger view and slideshow.)

As if we needed more to worry about when it comes to cyber-security, three recent reports highlight the frailty of mobile devices and mobile apps. Each of the reports -- from McAfee Labs, Lacoon Mobile Security in partnership with Check Point, and Stanford University, working with Rafael Advanced Defense Systems Ltd -- focuses on key deficiencies in mobile security.

According to the McAfee Labs Threat Report for February 2015, mobile developers have failed to patch critical secure sockets layer (SSL) vulnerabilities months after the vulnerabilities were disclosed.

Last month, McAfee Labs tested 25 of the most popular Android apps on CERT's list of vulnerable mobile apps and found that 18 of them remain unpatched despite public disclosure and vendor notification. Out of more than 1 million Android apps tested by CERT using automated scans, at least 23,000 have failed dynamic SSL validation testing.

[ Suffering from insomnia? Don't read Why Kasperky's Bank Robbery Report Should Scare Us All. ]

McAfee simulated a man-in-the-middle (MitM) attack and managed to successfully intercept information such as login credentials during supposedly secure sessions. The Superfish adware that Lenovo installed on some of its laptops from September through December 2014 has been criticized because it enables attacks of this sort.

"Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade," said Vincent Weafer, SVP of McAfee Labs, in a statement.

(Image: karanj -- CC BY-SA 2.0)

(Image: karanj -- CC BY-SA 2.0)

Developers also need to be aware that vulnerabilities may be introduced through third-party analytics libraries. Among 10 analytics libraries found to be vulnerable by CERT, only 4 have been fixed.

McAfee Labs is not alone in its view that mobile devices are insufficiently secure. Last week, Lacoon Mobile Security and Check Point Software Technologies issued a report noting that one out of every 1,000 mobile devices on enterprise networks has been compromised by a mobile remote access Trojan (mRAT). The report suggested that for organizations with at least 2,000 devices, there's about a 50% chance that the internal corporate network itself has been infected with some form of malware.

Lacoon and Check Point said fewer organizations than expected appear to be infected by mRATs, but added that higher than average rates of mRAT infection in certain regions, such as the US, indicate that specific individuals and companies are being targeted. Coming in the wake of the massive Anthem breach, that should prompt some concern.

To further underscore the frailty of mobile security, researchers at Stanford University and Rafael Advanced Defense Systems Ltd. have found that developers can bypass restrictions on location data by tracking mobile power usage over a period of a few minutes.

The researchers in a paper note that there are 179 Android apps in the Google Play store with the permissions necessary to access to voltage and current data. Most, if not all, of these apps presumably use the data for legitimate purposes, such as assessing battery life. But were the developers of these apps determined to track where people go, they could employ the techniques described in the paper to infer the user's location history using power consumption data.

Such research raises the possibility that other seemingly innocuous data could be used to compromise privacy and security. It also amplifies related findings about how privacy often can be pierced by correlating a few salient bits of data.

Mobile security, in short, is a moving target, one that's increasingly hard to keep up with.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
3/1/2015 | 11:29:40 AM
Re: The weaknesses are multiplying
We do all of that. We require online training throughout the year. I share news items. We do phishing testing. I present at periodic staff meetings. I try to drive home the topics over and over. It does help.
tzubair
50%
50%
tzubair,
User Rank: Ninja
2/28/2015 | 7:06:15 PM
Re: Tricky Situation
"There are ways to confirm that the app is doing what is designed for. This is easier in iOS than Android devices but everything is possible."

@DrT: I think this needs extensive QA on the App store's end before they can deem an app to be safe. Given the huge number of apps sent for release each day, I don't think this is an easy task. This is why an App store is more likely to rely on the users flagging an app and marking it as inappropriate compared to finding it out throught their own QA.
tzubair
50%
50%
tzubair,
User Rank: Ninja
2/28/2015 | 6:58:32 PM
Re: The weaknesses are multiplying
"This is always tough, especially for someone like me who is repsonsible for all internal awareness and training on security. I just keep trying to drive the message home"

@jagibbons: When it comes to spreading internal awareness about security, what do you think works the best? Is it a series of newsletters, videos etc that you can launch? Or does training sessions or individual counselling proves to be more effective? Anything else that you have felt that organizations must do?
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
2/28/2015 | 7:48:46 AM
Customers do not value quality
If customers would drop apps that are of bad quality and explicitly request the results of quality assurance test runs we all would not have this discussion. Does anyone ask any software vendor to show the the test results as condition of buying an app? It doesn't matter if it is a 99 cent app or an enterprise suite, as long as customers do not value (means pay for) and demand quality we will continue suffering from bad apps with security holes. So unless you start asking for what you want stop complaining about it.

I work in QA for over 15 years now and it is odd that so far only one customer out of thousands asked to see test plans and test results. I have no problem sharing my results and would appreciate if customers challenged me on my test approach. It would make things better for everyone.

I also noticed that with the Agile wave coming over software development we get releases much faster with more features, but with less and less quality. Sure, even before Agile apps had bugs and security holes, but then it was development driving releases, not some product owner with arbitrary release dates and a far to big wish list as backlog. Devs get the time they need, QA gets the afternoon before release. So you want "working software" as the Agile Manifesto claims is more valued? Then stop this madness and put more effort into fixing bugs and less effort into cramming more and more half-baked and untested features into releases.
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/27/2015 | 5:58:09 PM
Lax security and apathy = easy pickings for hackers
Mobile data is very easy to exploit since security is negligible, at best.  It's like shooting fish in a barrel, or, for that matter, hacking Anthem and/or Home Depot and/or Target.  
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
2/25/2015 | 8:42:05 PM
Re: Mobile Apps Security
I hear you. Maybe we need to look at why a misstep in configurations creates this much trouble and what we need to do about it. Doing some checks and balances may help in these situations
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
2/25/2015 | 8:39:28 PM
Re: Tricky Situation
There are ways to confirm that the app is doing what is designed for. This is easier in iOS than Android devices but everything is possible.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
2/25/2015 | 8:36:51 PM
Re: The weaknesses are multiplying
I agree. As we discussed in other threads there is no real consequences to anything or anybody when it comes to breaches. Especially we are not able to hold people accountable on security issues yet.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
2/25/2015 | 8:34:23 PM
Not my app
The main reason that we do not patch the apps fast enough is the fact that we do not think the threats would hit our own apps. Until we get hit we tend to not take an action.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
2/25/2015 | 3:36:19 PM
Re: The weaknesses are multiplying
>I fear that these issues won't receive proper attention until we have a tragedy that is the result of a breach.

Tragedy would get people's attention. So too would meaningful penalities for privacy and security violations. The punishments for violating privacy or neglect of security are not harsh enough to strike fear into executives' hearts.
Page 1 / 2   >   >>
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll