Original Post by: Michael Hill | Infosecurity Magazine: Deputy Editor | Published on: 05/10/2016
New research from mobile data security and management company Wandera has revealed further concerns surrounding the security of enterprise apps, a common talking point across the industry at the moment.
The firm’s latest report analyzes the top 10 most widely used mobile apps by employees around the world and unearths a whole host of security, storage and authorization weaknesses.
“In our increasingly mobile world, enterprises need to gain complete visibility in order to maintain control of their mobile data, ensure compliance and prevent mobile security threats,” said Eldar Tuvey, CEO of Wandera. “Security is an essential concern when it comes to mobile app development and it should not be sacrificed for the sake of speed and convenience.”
Wandera tested the apps using the Open Web Application Security Project (OWASP) Mobile Security Risks as a foundation and discovered that many companies are underinvesting in mobile security, which is putting sensitive data at risk.
PandaLabs technical director Luis Corrons told Infosecurity that app security is often not on the priority list of companies; and although most attacks currently go through computers rather than mobile devices, this does not excuse the developers of mobile apps from making them more secure as the weaker they are the more likely it is that they will be targeted by hackers.
Some of the key findings in the report include the worrying statistic that all of the ten most commonly used apps fail to use secure data storage to protect personally identifiable information. Similarly, all of these apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks.
Also, nine of the 10 apps do not use certificate pinning at all, which makes them more susceptible to man-in-the-middle attacks.
“Not using certificate pinning does increase the chances of man-in-the-middle attacks – a concerning security threat,” Corrons argued. “The attacker could create fake certificates and the app would believe it is the real one that could be used to compromise the device and its information.”
Furthermore, eight out of the 10 apps allow for the use of weak passwords and three allow the use of weak encryption.
“Using weak security (passwords/encryption) makes them [apps] more vulnerable to attack, and at some point a mobile app can be attacked to obtain some information that can be used to penetrate the company’s network to steal the real valuable information,” Corrons added.
Reference Article: http://www.infosecurity-magazine.com/news/numerous-security-flaws-found-in/