This is a Health-ISAC Navigator white paper by BitSight
BitSight Performance Analysis Identifies Significant Gaps in Mobile Application Security Initiatives Across Sectors
Pdf Version:BitSight Mobile App Sec Report (1)
As security and risk professionals take steps to improve their organization’s cybersecurity posture, email, network, and web security often take center stage. This makes perfect sense, as these have been preferred attack vectors for decades. However, as internet use continues to move toward a mobile-centric experience, it has become critical to consider mobile applications when crafting your organization’s security strategy.
In this report, you’ll find eye-opening statistics on the state of mobile application security today, examples of how and why mobile breaches occur, and actionable advice for mitigating risks associated with your own mobile applications, as well as apps from third-party partners and suppliers.
You’ll also get BitSight’s latest research on mobile application security—including performance stats by application genre, sector, and popularity. Finally, you’ll learn how to reduce risk and demonstrate security performance to customers, prospects, and other critical stakeholders.
Key Research Findings
- – 3 out of 4 mobile applications evaluated contained at least one Moderate vulnerability. The prevalence of at least one Material (<1%) or Severe (2.5%) vulnerability occurs at significantly lesser rates.
- – Material and Severe vulnerabilities, including Arbitrary Code Execution, were observed in highly popular mobile apps.
- – Very few Material and Severe vulnerabilities were remediated once they were in production. Remediation rates were very low given the criticality of these vulnerabilities.
- – Android shopping apps, which transmit personal identifying information (PII) and other sensitive financial details, performed poorly in TLS Certificate Validation for Sensitive Data.
- – GPS Data Leakage, a significant security and privacy issue, was a problem across a variety of sectors and mobile app genres—including Aerospace and Defense.
The Increasing Risk to Mobile Applications
Since mobile applications store massive amounts of users’ personal information, breaches and data leakage can expose organizations to significant risk, as evidenced by news coverage throughout 2021.
In March, a breach in its mobile app forced a Formula 1 racing team to call off an augmented reality campaign after its app was hacked. In June, a healthcare provider was breached via unauthorized access to a third-party mobile app called Smart Clinic.
In August, British Airways disclosed that approximately 380,000 card payments were compromised after a security breach occurred on the company’s website and mobile app. The breach compromised the personal and financial details of customers—including name, address, and bank card details like CVC code.
In September, security researchers found that 14 top Android apps, downloaded by more than 140 million people in total, are leaking user data due to Firebase misconfigurations. Exposed data potentially includes users’ names, emails, usernames, and other PII. Firebase is a mobile application development platform with an active monthly base of more than 2.5 million apps.
“Mobile applications already drive much of today’s digital activity and that will only increase in the future. 5G, increased work-from-home, and the ever-increasing availability of mobile devices have all but assured that cyber criminals will look for avenues into mobile applications to conduct attacks,” said Stephen Boyer, Founder and CTO of BitSight. “For these reasons, it is critical for organizations to understand risks associated with mobile applications created in-house and those published by third parties.”
BitSight’s Evaluation of Mobile Application Security Performance
There are approximately 5 million mobile apps currently in circulation: approximately 3 million for Android and 2 million for iOS. Of the millions of mobile apps available, a significantly smaller subset dominates the market. Of these, only a small proportion constitutes the mainstream mobile apps.
BitSight wanted to understand the prevalence of vulnerabilities in popular mobile applications across a variety of sectors and industries. We analyzed 93,647 mobile apps from 40,664 organizations and tasked ourselves with answering two critical questions:
- 1. How common are significant vulnerabilities in mobile applications?
- 2. Are some sectors better or worse than others in addressing mobile application security issues?
In our analysis, we analyzed 185 static and dynamic mobile application tests that investigated all vulnerability types—from Minor to Severe—across 22 major industry sectors.
BitSight Methodology: Severity Levels and Mobile Application Grades
Before we dive into the results of our research, it is important to understand how BitSight uses the Common Vulnerability Scoring System (CVSS). CVSS is a widely-used evaluation of the magnitude of vulnerabilities on a ten-point scale. However, BitSight uses different nomenclature than CVSS to retain consistency with existing notions of severity within BitSight’s platform.
Please read full paper in the above Pdf.