So you think apps in the app store are safe?
A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tabletsBy Prateek Panda 19 Aug, 2014
Today’s world, without doubt, is a world empowered with high tech devices. In fact, we’ve almost reached a stage where mobiles phones will outnumber humans! According to a Gartner report, nearly 2.2 billion mobile phones and tablets will be sold to end users in 2014 itself. While all this does sound great, there is also a dark side to it.
The True Story
As the number of handheld devices is growing, security is increasingly becoming a major concern. We all know the PR disaster that major app owners like SnapChat and Starbucks had to go through. If you missed that, then here’s what happened.
On 16 January 2014, the Starbucks app, which is one of the most used applications in the US with 10 million customers, was found to be storing user credentials in plain text format. When news broke that user data had been compromised, three million people deleted the app from their mobile devices. In 24 hours, the app fell from fourth highest grossing app to number 26. Starbucks scrambled to release an update later that week, but it was too late.
The same month, an internet group hacked into Snapchat and released the usernames and phone numbers of 4.6 million Snapchat users! And this is from a company that is valued at over US$3 billion.
This may be the only publicly available leak that has been made known today. If this could be exploited, there may be other kinds of data also breached but just not made known yet.
“You still think that the mobile applications you are using are safe? Well, think again!”
The Real Problem
Research published by Appknox has revealed that 80 out of the Top 100 apps in the world’s major app stores have security vulnerabilities. A Gartner report said that by 2017, 75 per cent of mobile security breaches will be the result of mobile application misconfiguration.
“Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” said Dionisio Zumerle, principal research analyst at Gartner. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”
If you believe in numbers here’s what Arxan’s research determined:
Amongst top 100 paid applications:
- 100 per cent of apps on the Google Android platform had been hacked
- 56 per cent of apps on Apple iOS had been hacked
- Amongst popular free applications:
- 73 per cent on Android had been hacked
- 53 per cent on Apple iOS had been hacked
Mobile apps are the big thing today, in fact, in a lot of cases a necessity. The problem is that mobile app coders tend to be junior, feature-oriented, and inexperienced at secure coding practices. The industry’s stance on security tends to be reactive, only paying attention when a data theft occurs or a vulnerability is disclosed by a third-party hacker. Public embarrassments lead to public backlash, massive and distracting cleanup jobs, a loss of consumer confidence in mobile apps, and possibly even a drop in stock price.
This is precisely the reason why it is imperative for all stakeholders to necessarily wake up to the importance of security because it’s always better to be safe than sorry.
The views expressed are of the author, and e27 may not necessarily subscribe to them.
e27 invites members from Asia’s tech industry and startup community to share their honest opinions and expert knowledge with our readers. If you are interested to share your point of view, please send us an email to writers[at]e27[dot]co.
Appknox Singapore Appknox is a mobile security company that helps businesses & developers make their mobile apps more secure. They not only find security vulnerabilities but also suggest ways to fix them. Latest funding: Not specified Investors: Not specified