Mobile Apps Remain Vulnerable For Months - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
03:01 PM
Connect Directly

Mobile Apps Remain Vulnerable For Months

Developers are failing to respond quickly to reports of security flaws, Trojans are infecting corporate devices at an alarming rate, and even mundane data about your device's power consumption could threaten your privacy.

8 iOS, Android Apps That Are Strangely Useful
8 iOS, Android Apps That Are Strangely Useful
(Click image for larger view and slideshow.)

As if we needed more to worry about when it comes to cyber-security, three recent reports highlight the frailty of mobile devices and mobile apps. Each of the reports -- from McAfee Labs, Lacoon Mobile Security in partnership with Check Point, and Stanford University, working with Rafael Advanced Defense Systems Ltd -- focuses on key deficiencies in mobile security.

According to the McAfee Labs Threat Report for February 2015, mobile developers have failed to patch critical secure sockets layer (SSL) vulnerabilities months after the vulnerabilities were disclosed.

Last month, McAfee Labs tested 25 of the most popular Android apps on CERT's list of vulnerable mobile apps and found that 18 of them remain unpatched despite public disclosure and vendor notification. Out of more than 1 million Android apps tested by CERT using automated scans, at least 23,000 have failed dynamic SSL validation testing.

[ Suffering from insomnia? Don't read Why Kasperky's Bank Robbery Report Should Scare Us All. ]

McAfee simulated a man-in-the-middle (MitM) attack and managed to successfully intercept information such as login credentials during supposedly secure sessions. The Superfish adware that Lenovo installed on some of its laptops from September through December 2014 has been criticized because it enables attacks of this sort.

"Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade," said Vincent Weafer, SVP of McAfee Labs, in a statement.

(Image: karanj -- CC BY-SA 2.0)

(Image: karanj -- CC BY-SA 2.0)

Developers also need to be aware that vulnerabilities may be introduced through third-party analytics libraries. Among 10 analytics libraries found to be vulnerable by CERT, only 4 have been fixed.

McAfee Labs is not alone in its view that mobile devices are insufficiently secure. Last week, Lacoon Mobile Security and Check Point Software Technologies issued a report noting that one out of every 1,000 mobile devices on enterprise networks has been compromised by a mobile remote access Trojan (mRAT). The report suggested that for organizations with at least 2,000 devices, there's about a 50% chance that the internal corporate network itself has been infected with some form of malware.

Lacoon and Check Point said fewer organizations than expected appear to be infected by mRATs, but added that higher than average rates of mRAT infection in certain regions, such as the US, indicate that specific individuals and companies are being targeted. Coming in the wake of the massive Anthem breach, that should prompt some concern.

To further underscore the frailty of mobile security, researchers at Stanford University and Rafael Advanced Defense Systems Ltd. have found that developers can bypass restrictions on location data by tracking mobile power usage over a period of a few minutes.

The researchers in a paper note that there are 179 Android apps in the Google Play store with the permissions necessary to access to voltage and current data. Most, if not all, of these apps presumably use the data for legitimate purposes, such as assessing battery life. But were the developers of these apps determined to track where people go, they could employ the techniques described in the paper to infer the user's location history using power consumption data.

Such research raises the possibility that other seemingly innocuous data could be used to compromise privacy and security. It also amplifies related findings about how privacy often can be pierced by correlating a few salient bits of data.

Mobile security, in short, is a moving target, one that's increasingly hard to keep up with.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
2/25/2015 | 12:09:15 PM
The weaknesses are multiplying

Unfortunately you are highlighting what is becoming a theme the vulnerabilities we are all facing every day and the cybersecuirty downfalls that don't seem to have enough attention from corporations or government. I fear that these issues won't receive proper attention until we have a tragedy that is the result of a breach.

Thomas Claburn
Thomas Claburn,
User Rank: Author
2/25/2015 | 3:36:19 PM
Re: The weaknesses are multiplying
>I fear that these issues won't receive proper attention until we have a tragedy that is the result of a breach.

Tragedy would get people's attention. So too would meaningful penalities for privacy and security violations. The punishments for violating privacy or neglect of security are not harsh enough to strike fear into executives' hearts.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll