Researchers report that the vast majority of mobile applications tested allow access to users’ private data stored on the device, leaving users at risk of data loss from vulnerabilities.
After scanning 2,107 applications that are offered by 601 different developers, the researchers found that 97% were designed to access private data, some for legitimate reasons and some apparently just because the could.
Of the applications that did access the data, the researchers also found that many of them had vulnerabilities in their code that could lead to data loss, with 86% lacking binary protections which can help prevent memory overflow attacks and the reverse engineering of the application’s code
“While some of these apps may have a legitimate reason to access private information, the addition of security vulnerabilities puts that private information at risk,” said HP’s Maria Bledsoe of the report findings.
The researchers also found that developers were not implementing Secure Sockets Layer (SSL) encryption protocols correctly, with 82% making the attempt, but only 18% actually doing it correctly.
“The key point is that developers should use their operating system’s recommended method of encrypting data as opposed to writing to the file system without encryption or using a custom implementation,” Bledsoe said.
Many of the flaws could and should have been detected prior to the applications hitting the market place by running a thorough security assessment, but this practice has not become the norm according to the data.
“By prioritizing security early in the application development, security flaws can be resolved before deployment,” said Bledsoe.
Read More Here…