Three out of every ten Android apps inadvertently disclose sensitive user information.
In the rapidly evolving digital landscape, the latest Zimperium Global Mobile Threat Report, published today, underscores the need for enhanced security measures in the mobile app sector. The report emphasises that traditional perimeter defenses, such as firewalls, API gateways, and web application firewalls, are inadequate in determining whether traffic originates from a genuine app or a tampered clone.
Protecting APIs, according to Zimperium's report, should begin within the mobile app itself. This is a response to the discovery of several mobile apps with weak security due to a major supply-chain attack involving the Sparkcat malware. This malware infiltrated legitimate apps, including food delivery, crypto wallet tools, and news readers from various developers, which were available on official Android and iOS stores and were downloaded over 242,000 times before removal.
The report also reveals that nearly one-third of Android finance apps and one-fifth of iOS travel apps remain open to man-in-the-middle attacks, despite SSL pinning. This vulnerability could potentially allow attackers to manipulate API behavior, extract secrets, and exploit device-level controls.
David Matalon, CEO at Venn, agrees that the traditional perimeter is gone and a shift in strategy is required from securing the device to securing the work itself. Randolph Barr, CISO at Cequence Security, echoes this sentiment, emphasising the need for mobile devices to have basic protections for both organisations and users.
The report further highlights that client-side weaknesses are fueling new avenues for attack on mobile applications. Attackers can spoof identity, location, and device identifiers, making malicious API calls look legitimate. To combat this, API hardening involves protecting endpoints, tokens, and business logic with obfuscation, secure storage, and runtime defenses.
Moreover, the report finds that many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage, and updated third-party libraries. Vishrut Iyengar, senior solutions manager at Black Duck, points out this as a significant concern.
The report also sheds light on the prevalence of rooted or jailbroken devices, with one in 400 Android devices rooted, and one in 2500 iOS devices jailbroken. These devices, which bypass security measures, are more susceptible to malware and other threats.
Ensuring a screen lock is enabled, updates are applied in a timely manner, and devices are not rooted or jailbroken are minimum protections, according to the report. However, it also warns that these weaknesses remain exploitable even in managed enterprise environments.
The report further states that one in three Android apps and more than half of iOS apps leak data that can be exploited. Nearly half of all apps still contain hardcoded secrets such as API keys. These findings underscore the need for a more robust approach to mobile app security.
In conclusion, the Zimperium Global Mobile Threat Report serves as a stark reminder of the persisting security vulnerabilities in the mobile app sector. The report calls for a shift in strategy from securing the device to securing the work itself, emphasising the need for API hardening, basic protections for mobile devices, and a more proactive approach to mobile app security.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Enlarged Financial Plan of MGM Osaka Integrated Resort Surpasses $10 Billion Mark
- Determining if Your Partner is Employing Telegram for Infidelity
- Tesla's Autonomous Taxi: Human Intervention in AI-Driven Vehicles Unveiled as Controversy
