A survey of popular applications has revealed that most have SQL flaws, store sensitive details in an unencrypted format and have fragile backends.
According to IntegriCell president Aaron Turner there are so many vulnerabilities in mobile applications, as every one has a backend API, particularly free applications, and as so many developers use SQL Light to implement things, no one checks whether this is secure or not.
In a survey of a number of applications that had versions for Apple and Android, Turner found that 35 per cent had SQL injection flaws, while 99 per cent had unencrypted data.
Further analysis of the backends found that all of the applications assessed had a web sever and patch configuration flaw, allowing an attacker to control a server, while authentication bypass was permitted in 79 per cent of applications. Unencrypted data was also present in 99 per cent of application backends.
Turner told SC Magazine that there were significant errors and if an open application were seen, it would allow an attacker to collect data from the handset and if it were connected to a network, all of that data too.
“I pointed the scanning tool at the application backend and did a simple scan and as they were default Linux builds, I did the configuration and all of the administrator passwords were not changed,” he said.
“This is an issue of the lack of maturity of mobile application developers who are ‘not solving stupid'. Look at the eco-system; once the backend has been attacked an attacker can use JSON to control the frontend also. There is no firewall to protect the user or application monitoring to do control, it is a complex backend and [there is] no security on either.”
Presenting at the RSA Conference in San Francisco last week on the subject ‘mobile applications – the vulnerability tsunami is coming' with this research, he recommended deploying a PIM container, as although it is not very good, "it is the best we have right now".
Turner told SC Magazine that he had sought permission from the developers of the applications he assessed, initially contacting them at the end of last year, but had no permission given to independently analyse their applications. He admitted that this might have led to some false positives.