… but overlooked by app developers and enterprises alike
Recently, the Bitdefender Research team found a security flaw in Instapaper. The popular Android app allows users to save and store articles for reading, particularly when they’re offline, on the go, or don’t have Internet access. Users have to create an account to be able to check notes, liked articles or access other options. The vulnerability discovered lies not in how the app “fetches” content from the web, but in the fact that it doesn’t perform any certificate validation. This opens the door for man-in-the-middle attacks  that could allow an attacker to use a self-signed certificate, start “communicating” with the app, and collecting authentication credentials. Such an attack could have serious consequences, especially for those who use the same password for multiple accounts – they could have several accounts hacked into.
Bitdefender researchers have notified Instapaper’s development team about the vulnerability and they have since then released an update, resolving the issue. This can be considered a fortunate case, where the application makers can fix the vulnerability before the attacker can exploit it. But there have been less fortunate cases, and probably more to come, where a great number of Android and iOS applications have been found to have security flaws which can be exploited. Taking a step back and looking at the bigger enterprise picture - with thousands of mobile employees - one thing becomes clear: mobile application security can turn into a nightmare for businesses that are increasingly driven by BYOD trends.
Issue: mobile app (in)security makes enterprise data vulnerable to attacks
Last year, Gartner predicted that through 2015, more than 75% of mobile applications will fail basic security tests. As if to confirm Gartner’s predictions, a recent study by IBM & The Ponemon Institute shows that, of the 400 organizations studied, almost 40% do not scan the apps they develop for security vulnerabilities. Of those that do scan their apps before releasing them to market, 15% test them as frequently as needed to be effective. And, even more worrisome, 50% of those that develop mobile apps, do not allocate any budget at all to testing security application vulnerabilities.
So what would be the reasons for such a reckless approach to mobile app development? As the study points out, the expanding customer demand or need for mobile apps creates a “rush-to-release” phenomenon which overlooks security vulnerabilities. At the same time, the importance of app usability and functionality often trumps security concerns.
Looking at at the damage last year’s data breaches left in their wake, and considering how app security flaws can be leveraged in attacks, the reasons mentioned above seem trivial, if not selfish, excuses.
Especially if we consider another Gartner prediction that
“by 2017, the focus of endpoint breaches will shift to tablets and smartphones, and through 2017, 75% of mobile security breaches will be the result of mobile application misconfigurations, rather than the outcome of deeply technical attacks on mobile devices.”
These misconfigurations can range from HTTPS communication without certificate validation, as in the opening example, to lack of password encryption in transit or storage. Imagine if an employee used such flawed mobile apps to access enterprise data. Not only would that enable data leaks, but the company would also have a hard time identifying the leakage source.
Since we have confirmation on previous Gartner predictions, now would be the time to start making sure these don’t come true as well.
Solution: Raising awareness, and developing apps with security in mind
As we mentioned in a previous post, mobile application security, risk management and industry collaboration are imperative. Any and all innovations, including immensely helpful and user-friendly apps, need to be produced with security in mind, from initial project stages.
On the one hand, we have app developers that lack security expertise and are churning out mobile applications without implementing the necessary security protocols to ensure their products can run safely. If application developers lack, security knowledge, they should get security training, scan their applications for security vulnerabilities, or get assistance to ensure their users are protected from mobile application flaws. Developing user-friendly apps that risk the security of your customers or enterprise data, can only take you so far.
On the other hand, we have 90% of enterprises using third-party commercial applications for their mobile BYOD strategies. Considering the risks that these apps can pose, enterprises should make sure the mobile applications are properly tested and scaned both at the client and the server level) for security issues, before actually deploying them for employee use. Mobile security technologies can even be integrated into app-scanning solutions. At the same time, they should train employees on application security, and set up BYOD policies that thoroughly cover this aspect.
With the risk of repeating ourselves, awareness of potential app security risks for both individuals and companies is crucial in this increasing mobile world.
 A man in the middle attack does not always require a certificate. If Instapaper does not have a way of authenticating the user through a certificate, then the attacker can just intercept the communications from one host to another without hindrance. If the user name and password is not encrypted, then the attacker can intercept the transmission in the clear without hindrance.