29 May 2020
Mobile Applications: Common Vulnerabilities and Threats in 2020
In Brilliance Security Magazine, Dmitry Vyrostkov, Head of Security at DataArt , discusses the key vulnerabilities that DataArt identified in iOS and Android mobile applications during numerous security assessments.
«Insecure data storage was by far the most common security risk identified within the applications tested, with over 80% of those examined found to exhibit this risk, which threatens the privacy and security of legitimate users. Examples included the storage of credentials and sensitive data in plain text databases, which increases the risk of a leak.»
«Another common mistake was the usage of insecure snapshots. These are images that the operating system takes to remember the application’s current state prior to exiting. Sensitive data such as credit card numbers or private messages should be masked when creating these snapshots to avoid data leakage, but about 75% of applications failed on this count.»
«Every third vulnerability in Android mobile applications stems from configuration flaws. For instance, enabled backup makes it possible to create a copy of application data that was created and managed by users. This vulnerability can be used by an attacker to fetch application data even on a device without root privileges.»
«The problem with legacy technologies is that eventually vendors stop supporting them. You are then stuck with frameworks and libraries that no longer receive critical security updates.»
«Just over a third of applications were found to exhibit vulnerabilities related to insecure data transmission and incorrect implementation of session management. Examples of insecure data transfer include missed extended validation Certificate checks and the use of insecure HTTP communications. It should be noted that this flaw is far less common in iOS, probably due to the protective measures implemented in iOS 9.»
«In total, high-risk issues were found in about every third iOS application and about every second Android application. As many as 90% of all vulnerabilities discovered could be exploited using malicious applications without any need for physical access to the device. The main issues were connected with insecure data storage, different misconfigurations both on client and server sides, and weak user roles management.»
Original article can be found here.