Mobile App Security Study

Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data.

At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones?

At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk.

This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011.

What’s at Risk?

Smartphones today handle a great quantity of private and sensitive data, in a highly portable, network-connected mobile computer. The data stored and transmitted can include security credentials, personal financial information, private communications, sensitive company data and more.

The appWatchdog tests focus on what is stored on the device. Smartphone apps handle usernames, passwords and private app data, all of which should be stored securely or not at all. In the event of a lost device or malware infection, data stored insecurely can be compromised.

Other aspects of mobile app security including secure communications, coding practices and resistance to malicious attacks are also very important. The full scope of viaForensics’ appSecure mobile audits and certification include comprehensive testing beyond the scope of the appWatchdog study.

Consumer Risk

So how at risk is the everyday iPhone or Android user? If a person loses their smartphone and it falls into the hands of a cybercriminal, how great is the risk of identity or financial theft due to the data stored on the device?

Information stored by smartphones such as contacts, text messages and e-mails would generally be accessible to the cybercriminal; this is probably not surprising to most people. But what about your bank account login from your favorite financial app, or Netflix username and password? Does the thief have access to that information as well?

Enter appWatchdog

App developers have significant control over what they store on mobile devices and how they store it. They can avoid storing data of a sensitive nature, and they have the ability to add their own layer of encryption beyond what was already provided by the mobile platform.

viaForensics has created the appWatchdog service to determine how popular apps store sensitive data. The results have been alarming at times, as many developers store sensitive data in plain text. We release our findings to the public on our Web site to help inform consumers about the apps they may be using.

Note: The application developers are notified in advance before we post our findings and viaForensics works with the developers, if they wish, to mitigate the identified issues.

DOWNLOAD THE REPORT
(Registration and login required)

05-29-12
Google and Apple
Google Android In February of 2011, Google released the 3.0 version of the Android OS, dubbed Honeycomb, as the first Android OS to ...

Google and Apple

Google Android In February of 2011, Google released the 3.0 version of the Android OS, dubbed Honeycomb, as the first Android OS to offer encryption on the user partition of the Android device. Honeycomb, however, is only available on tablets, meaning that Android smartphone owners do not yet have access to it. Android secures the… read more

05-29-12
Testing Process and Ratings
As of June 2011 viaForensics has tested 100 popular consumer app versions for iPhone and Android from the following categories: Social ...

Testing Process and Ratings

As of June 2011 viaForensics has tested 100 popular consumer app versions for iPhone and Android from the following categories: Social Networking, Finance, Productivity and Retail. Some apps have been tested in multiple versions as developers respond to the appWatchdog findings. Install: We obtain the apps the usual way: we download them from the iTunes… read more

05-29-12
Findings: Financial Apps
Financial apps are changing many consumers’ everyday banking habits. They allow users to access account information on the go, from ...

Findings: Financial Apps

Financial apps are changing many consumers’ everyday banking habits. They allow users to access account information on the go, from almost anywhere. In order to test financial apps for appWatchdog, we only used financial apps for which we have actual accounts. This allowed us to fully utilize the applications. Fail – 25%, Warn – 31%,… read more

05-29-12
Findings: Social Networking Apps
These are some of the most popular apps for iPhone and Android. They are very easy to use and represent some of the most heavily ...

Findings: Social Networking Apps

These are some of the most popular apps for iPhone and Android. They are very easy to use and represent some of the most heavily downloaded and frequently utilized apps. Fail – 74%, Warn – 26%, Pass – 0% Social networking apps are inherently different from Financial apps, in that much of the information populated… read more

05-29-12
Findings: Productivity Apps
Productivity apps are intended help users be more productive in their day to day lives. Apps like K-9 Mail for Android allow users to ...

Findings: Productivity Apps

Productivity apps are intended help users be more productive in their day to day lives. Apps like K-9 Mail for Android allow users to access a variety of email accounts from one central app, while WordPress enables users to update a blog while away from their computers. The results of our testing show that Productivity… read more

05-29-12
Findings: Retail Apps
Retail apps are very convenient, allowing users to find and buy products from retailers like Best Buy and Amazon. The potential risk ...

Findings: Retail Apps

Retail apps are very convenient, allowing users to find and buy products from retailers like Best Buy and Amazon. The potential risk that exists with such purchases is that the user must enter personal information and sometimes credit card number in order to complete the purchase. Consumers certainly expect that retailers providing mobile apps handle… read more

05-29-12
Findings: Overall
Summarizing across the categories, only 17% of apps received a complete Pass rating, while 83% received either a Fail or a Warn. The ...

Findings: Overall

Summarizing across the categories, only 17% of apps received a complete Pass rating, while 83% received either a Fail or a Warn. The findings indicate that, in general, mobile applications presently store sensitive user data unencrypted a high percentage of the time. Fail – 39%, Warn – 44%, Pass – 17% The categories of application… read more

05-29-12
Conclusions
So how at risk is someone whose smartphone is lost, stolen or compromised by an attacker through malware or a direct attack? Based on ...

Conclusions

So how at risk is someone whose smartphone is lost, stolen or compromised by an attacker through malware or a direct attack? Based on the results of this study, there is a serious potential threat for identity or financial theft if a lost smartphone should fall into the wrong hands. For instance, if a cybercriminal… read more

Join Our Team

View Openings