Mobile Apps

SPOTLIGHT ON SECURITY

97 Percent of Company Mobile Apps Are Insecure

Mobile apps for consumers have been criticized for gathering more information from users’ devices than they need. It seems, however, that mobile apps from companies fare no better.

Ninety-seven percent of some 2,000 mobile apps produced by 600 companies accessed at least one private information source on the device they were installed on, according to a report released Monday by HP.

Private data sources accessed by the apps included personal address books, social media pages and even connectivity options such as Bluetooth and WiFi. Worse yet, 86 percent of the apps failed to use simple protections against modern-day attacks.

“So many of these applications are really vulnerable to some kind of an attack,” Mike Armistead, HP vice president and general manager for enterprise security products, told TechNewsWorld.

Nonexistent Encryption

The extent of the vulnerabilities identified in the enterprise apps by HP’s Fortify software was an eye opener for Armistead.

“I was surprised it was so prevalent,” he said. “I thought it might be in the 60-70 percent range, but not 90 percent. The sheer numbers [are] frightening.”

Seventy-five percent of the apps did not use proper encryption when storing data on a mobile device, HP researchers also found.

“This 75 percent represents data that is accessible to anyone who has an unlocked powered-on phone in their possession,” the report says.

“Unencrypted data that is seen and used for malicious purposes by an attacker can violate numerous policies in a corporation’s governance as well as compromise the reputation of the enterprise if sensitive trade secrets are leaked to competitors, or the media,” it notes.

Companies producing apps that bear their name should pay more attention to security, Armistead cautioned.

“Everyone is making the same mistakes — not thinking of security when they’re doing the mobile app,” he said. “Today, it’s almost irresponsible not to think about the security side of an application.”

Printing Guns

A time-honored technique for building acceptance of a new technology has been to establish it in the public schools. Apple has used that technique in the past, and is doing so with its iPad in the present.

Now 3D printer makers appear to be embracing the strategy too. Last week, for instance, MakerBot raised the curtain on a program designed to put a 3D printer in every school in America.

It’s undeniable that 3D printers can be a valuable tool for teaching science, math and engineering, but they also have managed to garner some notoriety as a means for producing gun parts. In the current climate in America, combining the words “guns” and “schools” can detonate an explosive reaction among parents.

Nevertheless, advocates for expanded use of 3D printers in public schools believe most parents will be cool about the technology.

“3D printers aren’t going to be available for kids to use unless you have a teacher’s supervision and approval,” John Westrum, vice president of Afinia, told TechNewsWorld.

If students wanted to make a gun, metal shop might be a better place to do it. “Metal is a much better way to make a weaspon like that,” Jesse Roitenberg, education manager for Stratasys, told TechNewsWorld.

“I wouldn’t shoot a plastic gun with a real bullet. There’s always going to be people that push the envelope in a negative way,” he added.

Breach Diary

  • Nov. 11. Ireland’s Road Safety Authority discloses it’s investigating reports that visitors to the National Driver License website are able to see personal data about drivers maintained at the site when trying to send email through the “contact us” function at the location.
  • Nov. 12. Data breach at Loyaltybuild in Ireland compromises personal information for more than 1.5 million people. The company manages customer loyalty programs across Europe.
  • Nov. 12. Facebook forces an unspecified number of users to reset their passwords after the social network discovered the passwords were compromised in a data breach of Adobe’s computer systems. Early in October, hackers pinched from Adobe a file containing 150 million user names and encrypted passwords, but only 38 million active users were affected by the breach, according to the company.
  • Nov. 12. Trend Micro reports that 200,000 new banking infections were discovered in the calendar quarter ending in September, the highest number for a single three-month period the company has recorded in 11 years.
  • Nov. 12. MacRumors online forums breached and some 860,000 accounts compromised. According to MacRumors the break-in was similar to one at the Ubuntu forums in July. Although passwords stolen by the intruders were hashed, MacRumors recommends its users change their passwords to be safe.
  • Nov. 12. Microsoft recommends its customers retire and deprecate RC4 encryption because it has become too easy to crack. It also recommends that certificate authorities and others stop using the SHA-1 algorithm for signing certificates because it has become susceptible to a number of known attacks.
  • Nov. 13. Cisco CEO John Chambers at earnings announcement says reports of NSA online spying has had an impact on the company’s business in China.
  • Nov. 13. At Pwn2Own hacking contest in Tokyo, ethical hackers demonstrate vulnerabilities in iOS and Samsung Galaxy S4. iOS 6.1.4 flaw allows cookies to be stolen from a phone when visiting a malicious website; iOS 7.0.3 vulnerability lets photos to be extracted from the phone at an infected Web page. The Samsung defect permitted a drive-by attack on the phone from the Internet.
  • Nov. 14. The New York Times reports CIA is secretly collecting bulk records of international money transfers, as those made through Western Union, under the same law used by the NSA to indiscriminately collect and store phone records of Americans.

Upcoming Security Events

  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Nov. 20. SC Congress Chicago 2013. 8:30 a.m.-7 p.m. CT. Chicago. Full Day Pass: $250.
  • Nov. 20. Protecting 3G/4G Mobile Networks from DDoS Attacks. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Nov. 21. Data Driven Web Application Security. 2 p.m. ET. Black Hat Webcast Series. Free with registration.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. “The Black Art of Malware Analysis,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. “CNSS-4016-I Risk Analysis Course,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
  • Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • March 25-28, 2014. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Mobile Apps

Technewsworld Channels