Study finds most mobile apps put your security and privacy at risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcworld.com/article/2068824/study-finds-most-mobile-apps-put-your-security-and-privacy-at-risk.html

The average smartphone user has 26 apps installed. If recent research
conducted by HP is any indication, approximately, well, all of them, come
with privacy or security concerns of some sort.

The HP study focused purely on custom business apps, but there's no reason
to believe the issue doesn't extend to commercial apps you find in the
Apple App Store or Google Play. Many apps have access to data or permission
to perform functions they shouldn’t.

If you want to play a game like Angry Birds, there’s no reason that it
needs to have access to your contacts, and  a weather app probably doesn’t
need to be able to send email on your behalf. The security risks in apps go
beyond permissions, though. There are issues in how the apps integrate with
core functions of the mobile operating system, as well as how they interact
with and share information with one another.

In the HP study, 97 percent of the apps contained some sort of privacy
issue. HP also found that 86 percent of the apps lack basic security
defenses, and 75 percent fail to properly encrypt data. Assuming similar
percentages across the hundreds of thousands of consumer apps in the app
stores, it’s likely that you have a few security or privacy concerns
floating around your smartphone or tablet.

But this isn’t about malicious apps designed to steal your data. It’s
mostly a function of lazy coding. Developers write apps that access
everything because it’s easier than writing more specific code, and it also
paves the way for any future enhancements that might actually need it.

In a BYOD scenario these security and privacy risks are exaggerated for
both the employer and the employee. In most cases, the line between
business and personal is not clearly defined, and apps can easily blur that
line and put both company and personal data at risk. The problem is
exacerbated by the fact that apps are impulse purchases for many users,
thanks to low prices and easy installation.

The mobile operating systems have improved in terms notifying users about
the permissions an app is requesting and providing the user with more
control to allow or block access to specific functions. But the system
still puts too much burden on the user, both to know those controls exist
and how to use them, as well as to understand the implications and security
concerns of the apps.

The better solution is for developers to build security and privacy into
the apps from square one. Developers should be aware of the potential
implications of how their apps access data and interact with other apps,
and design them to be secure by default.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.