Shocking report reveals 43% of high-risk vulnerabilities in Android apps and 38% in iOS apps

Positive Technologies, a security company, warns the users to be Careful before installing the mobile applications on Android or iOS devices as vulnerabilities are exploited.

This shocking news is coming up from many years as it first came out in GPEN’s 2014 study of apps privacy failings, in 2017, the investigation of stock trading application security, and in Arxan’s 2019 look at banking and finance application security.

Positive Technologies tested 17 mobile applications thoroughly to check their security level, and the company found substantial risk vulnerabilities in Android apps up to 43 percent, and 38 percent of the iOS apps contain high-risk flaws.

76 percent of apps have Insecure data storage system, which is the most significant security risk found.

For example, verification PINs on the cell phones instead of on the server, which enhances the risk of a leak.

This flaw was found in nearly 53 percent of applications.

According to the report, another frequent error is the usage of insecure snapshots. The smartphone takes these images to memorize the software’s current state when the user switches to a different app.

Applications should be able to hide sensitive information like the credit card numbers while creating these snapshots to prevent data loss, however, but 65 percent of apps failed.

35 percent of apps have Insecure transmission of confidential data and incorrect session management flaw. Insecure data transfer examples include the usage of insecure HTTP communications.
"18 percent of applications do not restrict the number of authentication attempts."
According to the report, insecure data transfer is considerably less on iOS, possibly because of the protective measures in iOS 9.

The most common flaw include in these vulnerabilities is cross-site scripting (XSS) at 86 percent, and poor authorization, leaking of sensitive information in error messages, Information leakage is roughly at 43 percent each.

These flaws examples include transferring a user’s full phone number and name in a server reply through chat sessions.

These vulnerabilities added another significant risk server-side vulnerability is a misconfiguration. A server may have TRACE requests feature enabled which echoes HTTP requests following to the user for debugging reasons.

If TRACE requests feature combines with the CSS vulnerability, it can allow hackers to steal cookies.
"Hackers love targeting mobile devices, which are rich with personal data and payment card information. [The report's] results indicate that developers of mobile applications often neglect security, with the main issue being insecure data storage. User information stored in clear [plain] text, unmasked data in screenshots, and keys and passwords in source code are just a few of the flaws that offer opportunities to cyberattackers."
Although the developers are answerable for the vulnerable apps, some users should share the blame as they root their Android devices or does jailbreak on iOS devices to or customize their interface, after being warned by the company. This can allow the application to have unrestrained access to the essential data and interface.

"Use biometric authentication (fingerprint, voice, or face) if your device supports it.", suggests report.

Majority of smartphone apps have flaws allowing bad actors to steal data

Read next: Interesting Insight On the Typical iPhone Users Preference About Apps
Previous Post Next Post