iPhone apps just as risky as Android apps, study says

Report by Israeli cyber-security firm Checkmarx shatters myths about the perceived safety of many smartphone apps – especially on iOS

#Parshachat merges Torah talk and the disability experience on Twitter (Illustrative: iPhone; Pixabay)
#Parshachat merges Torah talk and the disability experience on Twitter (Illustrative: iPhone; Pixabay)

The next smartphone app you download could be riddled with bugs that would allow a hacker to take control of your device or steal data from it – and if not your next downloaded app, then maybe the one after that.

Sixty percent of all smartphone apps, according to a study by Israeli cyber-security start-up Checkmarx, have “high” or “critical” security problems in several of seven security protocols studied. Overall, four out of every ten apps have some major flaw that could allow a hacker to get control of a device’s data, or the device itself.

The study examined reported security breaches in iOS, the operating system used in Apple’s iPhone and iPad, and the Android system used by most other smartphone manufacturers.

The poor security performances come despite the claims by the vast majority of developers of apps for both platforms that there is no way they would release an app unless it were fully secure.

And iPhone owners needn’t be smug about the results, the study showed. While iOS users believe that they are safer because of Apple’s “walled garden” approach to apps, where an Apple team supposedly vets every piece of software offered in the App Store for, among other things, cyber-safety, App Store apps are no safer than those designed for Android systems.

In fact, apps written for the free-wheeling, anything-goes Android development environment, where any app can be loaded on to a device without being checked by a committee, are somewhat less security challenged than iOS apps. According to Checkmarx, “40% of the detected vulnerabilities on iOS tested applications were found to be critical or high severity,” while 38% of Android apps had the same problem.

Apple could not be reached for comment.

As new and more powerful smart devices come out with constant improvements to speed, processing capability, photo and video recording abilities and more, developers rush to write new apps and enhance existing ones in order to take care of those additional features. In a world where new apps are released constantly and downloads are measured in the tens of billions (by June of last year, Apple reported that it had crossed the 75 billion mark for App Store downloads), developers rightly believe that if they are not first to market with new features, they are out of the market.

But apparently developers are neglecting to ensure that those features are secure, said Checkmarx.

“The explosion of the mobile application industry in the last seven years has created a whole new battlefield in the race between hackers and security experts,” said the company. “But the most important players in the game – the developers – well, they are way behind.”

The danger from many apps is not to be underestimated, said the report.

“An attacker might need no more than a few minutes of physical access to a device in order to extract data or perform actions on behalf of its original owner,” it said. “Mobile malware can steal personal information, send SMS on your behalf, access private photos and post in your name. These are only some examples to the risk malicious apps can expose your mobile device to.”

The report lists the “seven deadly sins” of developers, who have largely failed to address issues like authentication (ensuring that only the authorized user is able to access data), preventing denial of service attacks (which, the report said, often appeared to the user as a crashed app), inappropriate configurations (which could allow ‘legal’ access to unauthorized parties), information leakage (where passwords and other sensitive data are left out in the open and not stored securely or in a scrambled manner), and others.

“Keeping data secure requires addressing issues like encryption/ decryption, authentication, authorization and securing communication with the server side,” the report said. “Unfortunately this research has proven to us that there is a long way to go.”

The solution, as always, is to be vigilant and pay attention to the implications of a new feature.

“The risk is real,” said the report. “The levels of risk which were detected – indicate real risk to application integrity of almost all mobile applications. We should expect an increase of major hacks via the mobile application vector in the short term future unless we improve secure coding practices. Organizations must not rely on external defense mechanisms only – code level security is a serious player.”

Most Popular
read more: