Mobile applications show an alarming rate of vulnerability, with the average app susceptible to an average of nine different vulnerabilities.
Further, the research from Checkmarx and AppSec Labs shows that out of those nine different vulnerabilities, 38% of are critical or high-severity.
Interestingly, and despite conventional wisdom, iOS is no more secure than Android when it comes to vulnerabilities built into the code or application logic: Here, the vulnerability rate of iOS and Android applications is almost identical. And, 40% of detected vulnerabilities in iOS applications were found to be critical or high-severity, compared to only 36% on Android.
“When we undertake penetration testing for our customers, we're often asked to test both the Android and iOS versions of the same app,” said AppSec Labs founder Erez Metula. “We realized that since iOS developers wrongly assume that iOS is ‘more secure,’ they let themselves take poor security decisions that open up vulnerabilities in their app.”
Among the types of applications tested were the banking applications of high-street retail banks, which access the personal data of millions of private individuals. Even those applications, which undergo rigorous security testing, were found to suffer from critical vulnerabilities such as faulty authentication, data leakage and more.
Overall, 50% of vulnerabilities are either personal/sensitive information leakage or authentication and authorization faults.
“The mobile application industry is growing at an explosive pace, yet security issues of mobile applications are lagging behind,” said Asaph Schulman, vice president of marketing at Checkmarx. “During 2014-15, Appsec Labs and Checkmarx tested hundreds of mobile applications, of all types including banking, utilities, retail, gaming and even security oriented applications. The results of the study were nothing short of alarming and unless we improve secure coding practices we should expect an increase of major hacks via the mobile application vector in the near future.”