With hacking episodes becoming more public and as the impact on businesses grows, mobile application hacking is seeing a growth in numbers as well as in techniques. Checkmarx and AppSec Labs have released a report, The State of Mobile Application Security 2014-2015, to test app vulnerabilities. Hundreds of banking, utilities, retail, gaming and security-oriented mobile applications were tested.
The average number of vulnerabilities per application based on the testing of hundreds of various applications is 9.041 vulnerabilities per application, consisting of all severity levels. Thirty eight percent of exposed vulnerabilities fall under the critical or high severity levels. About 3.435 critical or high vulnerabilities are exposed per app.
Half of vulnerabilities are either personal/sensitive information leakage (27 percent) or authentication and authorisation (23 percent). The breakdown of the remaining vulnerabilities included configuration management (16 percent), information disclosure (14 percent), cryptography weaknesses (eight percent), availability (seven percent) and input validation handling (five percent). Each category was broken down into severity classification of all instances reported.
In the case of iOS vs Android, it was found that 40 percent of the vulnerabilities detected on iO-tested applications were discovered to be critical or high severity. Thirty six percent of detected vulnerabilities on Android tested applications were discovered to be critical or high severity. The vulnerabilities of iOS and Android applications are almost identical, casting doubt on the common myth that iOS is more secure than Android.
Developer awareness still lacks in application security and implementation of secure coding best practices on mobile platforms. The levels of risk detected display real risk to application integrity of most mobile applications.
Researchers predict an increase in major hacks in the mobile application world in the near future unless secure coding practices are improved. They advise starting addressing mobile application security by integrating secure coding best practices; educate developers to protect their own apps; test application code before its too late or expensive to make changes; and don't rely on external security mechanisms when you are able to develop your app to have internal resilience at the centre.