SAN FRANCISCO, Calif. – RSA Conference – March 1, 2016 – Hewlett Packard Enterprise (HPE) today published results from the HPE Mobile Application Security Report 2016 finding that more than half of mobile applications are collecting alarming quantities of data. The study leveraged HPE Security Fortify on Demand to scan more than 36,000 iOS and Android mobile apps, and revealed the impact of increasing data collection, as well as recommendations for how organizations, mobile application developers and enterprises can build security in to better protect their data.
As mobile applications become more prevalent in the work environment, it’s essential that organizations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise. Adversaries are shifting their focus to mobile platforms, with more than 10,000 new Android threats discovered per day in 2015, and an iOS malware growth rate of more than 230 percent 1.
“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt (@raidschmitt), vice president and general manager, HPE Security Fortify at Hewlett Packard Enterprise. “With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organizations take a proactive approach to data security to better protect both personal and corporate data.”
Top findings from the report
- A majority mobile applications track your location, but not all of them need to . More than 50 percent of the scanned applications accessed geolocation data2. This can create serious privacy implications in the event of an attack, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users. While it makes sense for a traffic application to track location, the study found that more than 70% of education applications on iOS did as well. This is disturbing as education applications are often marketed towards children.
- Games and weather applications are collecting calendar data. HPE found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
- Ad and analytics frameworks put your most sensitive data at risk. Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
- Logging methods can expose data to unauthorized third parties. During the early development of applications, logging can be critical to the process of correcting buggy code, but once an application is running on a user’s device, it becomes a significant disclosure vulnerability. Approximately 95 percent of the applications scanned included logging methods.
Recommendations for Safe Usage of Mobile Applications
Mobile applications are here to stay, and developers, organizations and consumers alike should be cognizant of how this affects the security of personal and corporate data. HPE recommends the following to enterprises and consumers for safe development and usage of mobile apps:
- Build security in – start with secure code. The surest way of securing mobile applications is to code securely in the first place, and security test early and often. It’s significantly less expensive to build security into the development process than adding it to mobile applications already in production.
- Implement automated scans and penetration testing. Organizations should build a holistic approach to their security programs that includes application scanning and penetration testing. Automated scanning helps catch both simple and complex mobile application security mistakes that are being made, while penetration testing can determine the most important vulnerabilities.
- Select applications wisely. If an application wants access to information that it should not need or that you do not understand, do not use the application. This could expose everything from contact data to geolocation data, which may not be necessary for the application to function.
- Be wary of applications storing large amounts of data. Avoid using applications that appear to store a lot of data locally or access data that they shouldn’t.
The full methodology is detailed in the report. Additional information about HPE Security Fortify on Demand and other HPE Security solutions and services are available here, as well as at the HPE booth No. 3411, at the RSA Conference 2016 this week in San Francisco. Keep up with conference happenings by following the hashtag #RSAC and @HPE_Security
About HPE Security
HPE Security helps organizations protect their business-critical digital assets by building security into the fabric of the enterprise, detecting and responding to advanced threats, and safeguarding continuity and compliance to effectively mitigate risk. With an integrated suite of market-leading products, services, threat intelligence and security research, HPE Security empowers organizations to balance protection with innovation to keep pace with today’s idea economy. Find out more about HPE Security at https://www.hpe.com/us/en/solutions/security.html.
1. HPE Cyber Risk Report 2016, HPE Security Research, February 2016, software analysis section, pages 54-63
2. HPE Mobile Application Security Report 2016
This document contains forward-looking statements within the meaning of the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. Such statements involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of Hewlett Packard Enterprise could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including any statements of the plans, strategies and objectives of Hewlett Packard Enterprise for future operations; other statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include the possibility that expected benefits may not materialize as expected and other risks that are described in Hewlett Packard Enterprise’s filings with the Securities and Exchange Commission, including but not limited to the risks described in Hewlett Packard Enterprise’s Registration Statement on Form 10 dated July 1, 2015, as amended August 10, 2015, September 4, 2015, September 15, 2015, September 28, 2015 and October 7, 2015. Hewlett Packard Enterprise assumes no obligation and does not intend to update these forward-looking statements.