Say it isn’t so? According to a recently released report, The State of Mobile App Security, from Checkmarx and AppSec Labs, both mobile application security vendors, of the apps built for iOS that have vulnerabilities, those vulnerabilities tend to have slightly more critical vulnerabilities than those designed for Android.
In this blog post, Checkmarx’s Amit Ashbel argues that the underlying controls within iOS and Android undermine the ability of mobile security vendors to do their job:
When it comes to security, there are numerous vendors who attempt to provide a way to detect any risks on the device or within the application itself. Due to the mobile operating system’s sandbox environment, there is only so much that a security application can do. Signature detection of malware and jailbreak/rooting detection are probably the best these vendors can do to protect your data. However, as long as the security vendor’s play by the rules enforced by iOS and Android – and on iOS they are forced to do so- attackers will continue to have the upper hand and these protections can be easily circumvented.
I’m not so sure about that entire argument; after all, security vendors had deep access in Windows, and attackers still found many ways to exploit that operating system and the applications that ran on it. However, a later point Ashbel made, that “it boils down to ensuring secure development as you create your app” is spot on.
When it comes to critical vulnerabilities within iOS, 40 percent were critical or of high severity in vulnerable iOS apps, contrasted to 36 percent of critical vulnerabilities found within vulnerable Android apps. The report did not make it clear what percentage of apps in iOS or Android were not designed securely, or which platform had more vulnerable applications overall.
The State of Mobile App Security looks at mobile app vulnerabilities that are created during app development, with:
- 38% of vulnerabilities exposed are of critical or high severity.
- 3.435 critical or high vulnerabilities, on average, were exposed per app.
- 50% of vulnerabilities are either personal/sensitive information leakage or authentication and authorization.
To see what the breakdown was by type of vulnerability and its category, details are in the chart below, from the State of Mobile App Security report.
When it comes to developing secure mobile apps, developer awareness is essential. The more security-related vulnerabilities can be found during development, the more secure our mobile apps will be. But it also requires testing after the apps are deployed and updated.
Here are some resources your organization may find helpful when it comes to building more secure mobile apps:
OWASP Mobile Security Project, Open Web Application Security Project
2015 Mobile App Survival Guide, CSOonline