Mobile App Security Study
Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data.
At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones?
At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk.
This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011.
What’s at Risk?
Smartphones today handle a great quantity of private and sensitive data, in a highly portable, network-connected mobile computer. The data stored and transmitted can include security credentials, personal financial information, private communications, sensitive company data and more.
The appWatchdog tests focus on what is stored on the device. Smartphone apps handle usernames, passwords and private app data, all of which should be stored securely or not at all. In the event of a lost device or malware infection, data stored insecurely can be compromised.
Other aspects of mobile app security including secure communications, coding practices and resistance to malicious attacks are also very important. The full scope of viaForensics’ appSecure mobile audits and certification include comprehensive testing beyond the scope of the appWatchdog study.
So how at risk is the everyday iPhone or Android user? If a person loses their smartphone and it falls into the hands of a cybercriminal, how great is the risk of identity or financial theft due to the data stored on the device?
Information stored by smartphones such as contacts, text messages and e-mails would generally be accessible to the cybercriminal; this is probably not surprising to most people. But what about your bank account login from your favorite financial app, or Netflix username and password? Does the thief have access to that information as well?
App developers have significant control over what they store on mobile devices and how they store it. They can avoid storing data of a sensitive nature, and they have the ability to add their own layer of encryption beyond what was already provided by the mobile platform.
viaForensics has created the appWatchdog service to determine how popular apps store sensitive data. The results have been alarming at times, as many developers store sensitive data in plain text. We release our findings to the public on our Web site to help inform consumers about the apps they may be using.
Note: The application developers are notified in advance before we post our findings and viaForensics works with the developers, if they wish, to mitigate the identified issues.