Over the last decade, mobile apps evolved into critical business assets that help organizations generate revenue, support customer relationships and gain insights to improve operations. It should be no surprise that SmartInsights found that users spend more than 80% of their mobile activity time within mobile apps. Despite the continuous growth in mobile activity, many businesses still fail to prioritize the security and privacy of their mobile apps.
NowSecure and Coalfire recently collaborated on the 4th Annual Penetration Risk Report, with NowSecure analysts finding that businesses across a wide range of industries still fall short in improving their mobile app security and privacy measures. In fact, NowSecure discovered that 99% of all tested Android and iOS mobile apps have security or privacy issues that fail the OWASP Mobile Application Security Verification Standard (MASVS). This blog will highlight the key findings of the analysis, the most common issues among unsecure mobile apps and solutions to help mobile app security teams improve their security and privacy measures.
Scope and methodology
Over the past three years, NowSecure has evaluated over 5,500 Android and iOS mobile apps across 13 vertical industry segments: airline, automotive, banking & finance, energy, fintech & insurtech, gig economy, healthcare, high tech, Internet of Things (IoT), pharma, retail, social media, and travel. Apps in each industry category were chosen based on download volume, app store popularity and overall business revenue rankings. The number of apps in each category varied based on popularity.
NowSecure conducted an industry benchmark analysis using the NowSecure Platform automated mobile application security testing engine. Built on the OWASP MASVS and the Mobile Security Testing Guide (MSTG), the NowSecure Platform runs a battery of more than 600 automated tests using static, dynamic, interactive and APISec technology.
Based on count and score of industry-standard CVSS findings, the NowSecure scoring algorithm calculates an overall risk range of 0 - 100 similar to letter grades from school. Mobile apps scoring 90 and above equate to an A, 80 to 89 a B, 70 to 79 a C, 60 to 69 a D and anything below 60 merits an F. Mobile apps that earn an A or B are deemed low risk, those in the C and D groups require caution and those with an F present a high degree of risk and strong consideration not to use.
The benchmark analysis found major differences in mobile app quality among specific industry verticals:
- Automotive had the highest percentage of mobile apps having a CVSS score of 2.0 or below as the top issue at 15% (though 85% had higher risk issues), with 15% of automotive mobile apps.
- Airline mobile apps scored second best with 13% having a CVSS score of 2.0 or below as the top issue. (though 87% had higher risk issues)
- FinTech & InsurTec mobile apps rated third where 46% had very low or low CVSS scored findings as their top issue.
While some industry verticals rated relatively higher in quality, others fell short:
- Travel industry mobile apps rated worst in quality, as 41% of apps had at least one high-risk finding with a CVSS score of 7.0 or above that should be remediated immediately.
- Pharmaceutical mobile apps also fared poorly with 38% having at least one high-risk finding with CVSS score of 7.0 or above.
- Banking and finance mobile apps ranked just below with 37% having at least one high-risk finding.
Common mobile app security issues found in the analysis include:
- Insecure network communication
- Insecure data storage
- Weak cryptography
- Dangerous permissions
Common mobile app privacy issues found in the analysis include:
- Data leakage over the network
- Exposure of personal data to other mobile apps
- Insecure storage
- Exposure of geolocation data
Mobile app security needs more attention
Mobile-enabled organizations must recognize that mobile app development and testing differs substantially from web app development, especially in terms of security and privacy. Mobile apps require specific coding procedures, tools, and techniques to ensure they meet an acceptable level of protection from mobile-specific risks. Business leaders must get serious about ensuring security of apps throughout the DevSecOps pipeline and increase their understanding of common app risks in the current threat landscape.
Companies across all industries have multiple options to improve the security and privacy of mobile apps, increase efficiency and drive quality. Automated mobile application security testing deployed directly into the pipeline helps DevSecOps teams remediate issues early and continuously. Manual pen tests performed by a professional analyst provide DevSecOps teams with a deep analysis for high-risk mobile apps, while also verifying they meet industry-specific regulatory requirements. And educating DevSecOps teams on secure-coding techniques helps businesses build secure mobile apps from start to finish.
It only takes one mobile app breach to negatively impact a company. With mobile activity on the rise, business leaders across all industries must realize that mobile apps require more attention to guard against risk.
Learn more about the security and privacy risks of mobile apps by reading the Coalfire 4th Annual Penetration Risk Report, and visit the NowSecure Mobile Risk Tracker™ to see live security benchmarks of the most popular mobile apps.
About the author: As NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies. At NowSecure, Brian drives the overall go-to- market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.