The State of Mobile

Application Security
2014-2015

Application Security Made Easy

The State of Mobile Application Security 2014-2015
/> Brought to you by Checkmarx and Appsec Labs

Research author: James Greenberg

Table of Contents >

Intro 3

How is Mobile Application Security Different Than Web and Desktop Applications? 4

Research Results and Targets 5

Vulnerability Severity Rating 5

Mobile Application Security State 7

Summary - Statistics aggregated 12

Mitigation- What Can Developers Do To Improve App Security? 12

iOS vs Android Application Security 13

Takeaways 14
Intro >

The mobile application industry is growing at an explosive pace, yet security issues of
mobile applications are lagging behind.

As hacking incidents become more public and the impact on businesses increases,
the evolution of mobile application hacking becomes more rapid both in numbers
and in techniques.

During 2014-15, Appsec Labs tested hundreds of mobile applications, of all types
including banking, utilities, retail, gaming and even security oriented applications.

This document addresses the findings of the research and summarizes concerns and
the approaches required to improve the state of mobile app security.
How is Mobile Application Security Different
Than Web and Desktop Applications?

< Access />

On top of the common threats on desktops, Laptops and servers; mobile devices deal with a wider
risk, being exposed to even more security threats.

< Mobile Devices tend to be misplaced, lost or even stolen />

An attacker might need no more than a few minutes of physical access to a device in order to
extract data or perform actions on behalf of its original owner.

Mobile malware can steal personal information; send SMS on your behalf, access private photos
and post in your name. These are only an example to the risk malicious apps can expose your
mobile device to.

Keeping data secure requires addressing issues like encryption/ decryption, authentication,
authorization and securing communication with the server side.

Unfortunately this research has proven to us that there is a long way to go.

< Volume />

The more applications released into the market and the more these apps are being downloaded
by users the higher and more real the risks become, in other words the attack surface of a hacker
who wants to attack mobile applications is greater:
a) The number of applications to choose from.
b) The number of users who download mobile apps, hence the potential
amount of information which can be exposed is greater.

Lets take a look at the numbers:

< iOS Appstore />

iOS apps were first released in 2008 in July 2008 iOS users had a mere 500 applications to choose
from.

After less than 7 years statistics show that the iOS platform (including tablets) offers users a
staggering 1.4 million different applications.

Apple reported in June 2014 that downloads have crossed the 75 billion mark!

Android applications which got off to a later start yet have caught up in the race, present similar
figures both in number of apps and in download figures.

The bottom line is that the explosion of the mobile application industry in the last 7 years has
created a whole new battle field in the race between hackers and security experts.

But the most important players in the game the developers, well, they are way behind..
Research Results and Targets
The following list consists of the high level goals of this research.
> Are mobile applications secure?
> How severe are the security issues in mobile applications?
> What are the main issues mobile app developers should be aware of?
> Are iOS applications more secure than Android applications?
> How can the development community take action in order to
improve application core security?

Vulnerability Severity Rating

In order to achieve a unified categorization of the severity of an exposed vulnerability.
we use the OWASP and WASC methodologies:

Critical
A security vulnerability that exposes a major security risk with a direct exploit (not needing user
involvement). If exploited, the security threat might cause major damage to the application and/or
have major impact on the company. The likelihood of such an attack occurring is high, considering
the architecture/business-logic/complexity of the exploit.

High
The weakness identified has the potential to directly compromise the confidentiality, integrity
and/or availability of the system or data, but the likelihood to occur is not high, considering the
architecture/business-logic/complexity of the exploit. The possible damage to the application or the
company is high, but not a total disaster.

In applications involving sensitive data, the risk might be considered high in case the weakness by
itself is against common regulations (e.g. PCI).

Medium
A medium security issue that imposes some affect/damage to the application. Often it cannot be
used directly, but can assist an attacker to launch further attacks.

Low
No direct threat exists. It is a risk much more rather than a threat and does not cause damage
by itself. The vulnerability may be leveraged with other vulnerabilities in order to launch further
attacks.

The risk reveals technical information which might assist an attacker in launching future attacks.
The presented above severity types serve as indicators to the application owner regarding how
acute the issues are? And in accordance decide what measures (if any at all) should be taken in
order to mitigate the issues reported.
< 7 Deadly App Development Sins />

Results of this research are based on pen tests run over a period of more than a year across
hundreds of different applications and application categories.
Naturally the results have to be distilled to provide useful information. This research
concentrates on the top 7 risks which were classified by Appsec Labs as the most critical security
issues across all applications.

1> Authentication / Authorization All security issues that result in performing actions or
accessing data without sufficient permissions (e.g. bypassing security pin code).

2> Availability - Issues resulting in denial of service from the application, or part of it (e.g.
crashing the application).

3> Configuration Management - Incorrect or inappropriate configurations.

4> Weak Cryptography Breaches related to insecure way of data protection based on
cryptography.

5> Information Disclosure Technical information disclosure exposed to the client (e.g.
application logs.)

6> Input Validation Handling Results of mishandling data received from the user.

7> Personal / Sensitive Information Leakage Any exposure of personal data or other sensitive
data to the client (secret documents, credit card numbers, etc).
Mobile Application Security State
The results found during this research are no less than alarming. The average number of
vulnerabilities per application based analysis of hundreds of applications of all types, stands at
9.041 vulnerabilities per Application. This number consists of all severity levels.

The table below presents the distribution by severity:

13%

Critical 28%

High
25%
Medium

Low
34%

Result by Severity

< Result highlights />

38% of vulnerabilities exposed are of critical or high severity.

An average of 3.435 Critical or high vulnerabilities are exposed per app.

Providing actionable items to improve application security requires more attention at where the
vulnerabilities derive and what the different types of vulnerabilities are.

The table below presents the distribution of vulnerabilities by category:

7%
Authentication/Authorization 23%

Availbility 16%

Configuration Managment

Cryptography Weaknesses 8%

Information Disclosure
27%
Input Validation handling 14%

Personal/Sensitive information 5%

Results by risk category

< Result highlights />

50% of vulnerabilities are either Personal/Sensitive information leakage or Authentication and

Authorization (Not correlated the type of vulnerability with the severitylevel of the exposed
vulnerability.)

In order to get a clear breakdown per vulnerability type, each vulnerability category was broken
down into severity classification of all its instances reported.

This analysis enables us to determine which vulnerability categories are more likely to be of high
< Authentication /Authorization />

7%
Critical 20%
29% 32%
High
28%
20%
Medium

36%
Low 28%

60% of Authentication and Authorization issues are of critical or high

severity clearly indicating that development teams:

A Should take measures to improve developer awareness to securing Authentication

and Authorization mechanisms.

B Prioritize securing Authentication and Authorization mechanism.

< Availability />

7%

Critical
28%
29%
High

Medium

36%
Low

64% of all findings in this category pose a major threat to application owners and users.

A Developers should understand the vectors of attack which enable hackers to

cause availability issues, for example, understanding how to defend requests
from crashing the system by causing an overflow of requests which will
challenge the processing abilities of the application.

B Mitigate or at minimize the risk of causing availability issues by limiting the

amount of permitted requests for sensitive functionalities
< Configuration Management />
3%
14% of the reported vulnerabilities in this
11%
category are of critical and high severity, Critical

the majority of reported incidents are 29%

High
medium (57%), positioning this family of Medium
vulnerabilities as less critical in comparison
Low
to the others.

57%

< Cryptography Weaknesses />

29% of the vulnerabilities reported are of 6%

high and critical severity, yet almost 50% of
the reported cases were of low severity. Critical
23%
This category is tricky and does necessitate High
close attention since there is a probability Medium
47%
that overlooking cryptography weakness
Low
can result in causing major risk.
24%

< InformationDisclosure/>
Any unwanted technical information exposed
to the client (e.g. application logs).

Information disclosure vulnerabilities 6%

are an interesting category, though the 6%
statistics show that the vast majority of the 13%
Critical
cases reported are of low severity and only
6% are classified as high severity. High

This vulnerability category should not be Medium

overlooked. Low

Though, Information disclosure usually 81%

cannot cause direct damage, yet it can

serve as a source of information which can
be used as a precursor for more severe
attack vectors.
< Input Validation Handling />

9%
Input validation handling is a major 18%
topic which organizations should Critical

have a clear directive regarding High

secure implementation of secure
Medium
input validation methods.
Low 27% 46%
55% of the reported exposed
vulnerabilities are of high and
critical severity positioning input
validation issues as overall high risk.
With only 18% of vulnerabilities
exposed in this category classified
as low severity this category of
issues demands close attention.

< Personal/Sensitive Information Leakage />

Personal and sensitive information

leakage reported more incidents 7% 8%
than any other category.
Critical
42% of reported incidents being of
major risk to the application owner High

and users. securing personal and Medium 34%

sensitive information should be a Low
51%
top priority of system designers and
developers since these are the both
common and of high risk.
Summary - Statistics Aggregated
Critical High Medium Low

Authentication/Authorization 32% 28% 20% 20%

Availability 28% 36% 29% 7%
Configuration Managment 3% 11% 57% 29%
Cryptography Weaknesses 6% 23% 24% 47%
Information Disclosure 0% 6% 13% 81%
Input Validation handling 9% 46% 27% 18%
Personal/Sensitive information leakage 7% 8% 34% 51%

Mitigation- What Can Developers Do To

Improve App Security?

The research results clearly indicate that Authentication and Authorization, Availability and
input validation handling require special attention. This section briefly summarizes mitigation
directives recommended to address these vulnerability types.

Availability
a> Perform Input validation on all received intents and ignore badly formatted intents.
b> Catch all exceptions, in order to block a DoS attack using system exceptions.

Authentication/Authorization
a> Never trust the client. Ensure the user who requests any page/action has the legitimate
permissions by validating the session permission in the server side.
b> Allow the system users 3-5 failed login attempts. If the user fails more times than the
allowed amount, deploy an active CAPTCHA mechanism or an alternative solutions.
c> Consider implementing two-factor authentication.

Cryptography Weaknesses
a> Due to the sensitivity of information (example user and pin code) the server must require
the transport layer to be over SSL/TLS.
b> It is recommended to use AES128/256 instead of RC4.

Information Disclosure
a> Use extreme obfuscation in order to prevent an attacker from retrieving useful data from
the APK file.

Personal\Sensitive information Leakage

a> Do not store sensitive information on device.

Configuration Management
a> Since configuration issues vary from application to application it is important to
implement a control mechanism which will assure adequate configuration management.
iOS vs Android Application Security
This document discusses vulnerabilities exposed as part of the Application code. It goes without
saying that vulnerabilities are exposed during building stages of the code. So what about iOS vs
Android?

It is a common myth that the iOS development platform is more secure than the Android equivalent
for several legitimate reasons:
a> iOS has more restrictive controls over what developers can do and tight application sandboxing.
b> iOS Applications are fully vetted before being released to customers - preventing malware from
entering the Apple App Store.

Yet, in the field of pure application security where vulnerabilities are built in the code or into the
application logic the story is quite different.

Our statistics show that the distribution of vulnerability exposed by severity is almost identical
between iOS and Android Applications with a slightly higher percentage of critical vulnerabilities in
iOS applications.

15%
40% of the detected Critical

vulnerabilities on IOS tested High 32%

applications were found to be Medium
critical or high severity .
Low
25%

28%

iOS Vulnerability by Severity

Critical
36% of the detected
11%
vulnerabilities on Android High

tested applications were found Medium 25%

to be critical or high severity. Low

25%

39%

Android Vulnerability by Severity

Takeaways
Developer awareness is still lacking when it comes to application security and
implementation of secure coding best practices on mobile platforms
The risk is real! the levels of risk which were detected indicate real risk to application
integrity of almost all mobile applications
We should expect an increase of major hacks via the mobile application vector in the short
term future unless we improve secure coding practices.
Organizations must not rely on external defense mechanisms only - code level security is a
serious player.

Start addressing mobile application security:

A Integrate secure coding best practices into the development life cycle.

B Educate developers Knowledge is a great tool, empowering developers

to protect their own apps.

C Get your application code tested before its too late or too expensive to make a change.

D Dont rely on external security mechanisms when you can develop your app to
have internal resilience at the core
 Our Vision A Hacker-Free World!
Our mission is to guarantee that released software is free of technical and logical security
vulnerabilities. Our company is always in motion, listening and reacting to current and future
market needs. We inspire our partners to complement our products with the finest professional
services, and drive industry standards. We do this so that we could collectively deliver better
solutions with greater benefits.

About Us

Checkmarx is a leading developer of software solutions used to identify, fix and block security
vulnerabilities in web and mobile applications. It provides an easy and effective way for
organizations to introduce security into their Software Development Lifecycle (SDLC) which
systematically eliminates software risk before applications are released. The companys
customers include 5 of the worlds top 10 software vendors and many Fortune 500 and
government organizations, including SAP, Samsung, Salesforce.com, Coca Cola and the US Army.
For more information about Checkmarx, visit: https://www.checkmarx.com
or follow us on twitter: @Checkmarx

Contact us:
contact@checkmarx.com
www.checkmarx.com

Application Security Made Easy