The mobile app security testing research carried out by Wandera looked at the most popular business apps used on enterprise mobile devices on a global basis.
The top ten apps selected are a staple for the enterprise workforce with around 1.4 billion downloads from the Google Play store. The iOS versions of these apps are within the top 0.05% of all apps and sit under the business and productivity categories. Wandera’s mobile app security testing approach used the Open Web Application Security Project (OWASP) Mobile Security Risks as the starting point for extensive manual penetration testing.
The key findings are notable given how many downloads these apps have and the extensive use of these apps in the corporate environment:
- 10 out of the 10 apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks, including the two most fundamental issues: data storage security and data transport security.
- 10 out of the 10 apps contain at least five of the 28 weaknesses tested and fail to use secure data storage to protect Personally Identifiable Information.
- 9 out of the 10 apps do not use Certificate Pinning at all, and are therefore vulnerable to Man-in-the-Middle attacks (the single application that does use this protection mechanism fails to implement it properly).
- 8 out of the 10 apps allow the use of weak passwords and 3 out of 10 apps allow the use of weak encryption.
It is clear that most the companies using these apps failed to note the use of local storage in these mobile apps creating a situation where corporate data resides on mobile devices. This is a critical security risk that has the potential to cause millions of dollars in damage to these companies, their clients, and their shareholders.
The suggested remediation for enterprise IT to use third party safety nets around these apps and take a holistic approach to mobile security ignores the need for the companies making these apps to enforce a secure mobile development process and perform regular mobile app security testing before and after release.
Codified Security Instant will help you to secure your apps against OWASP and PCI security standards, with mobile app security testing and Continuous Monitoring. To find out whether there are serious security flaws in your app please sign up to Codified Security.