In the Vulnerabilities and Threat in Mobile Applications 2019 report by Positive Technologies, researchers examined vulnerabilities and threats in mobile applications.

It was found that in 38% of mobile applications for iOS high-risk vulnerabilities had been identified, with 43% in Android applications.

The report wrote:

“But this difference is not significant, and the overall security level of mobile application clients for Android and iOS is roughly the same. About a third of all vulnerabilities on the client side for both platforms are high-risk ones.”

Researchers identified that insecure data storage was the most common vulnerability in mobile application – with malware infection being the most common scenario. This vulnerability is found in 76% of mobile applications. The second most common vulnerability is the insecure transmission of sensitive data (35%) followed by incorrect implementation of session expiration (35%).

An overwhelming 89% of vulnerabilities can be exploited without physical access, so with the use of malware.

“The risk of infection jumps on rooted and jailbroken devices, but malware can also elevate privileges by itself. Once on the victim’s device, malware can ask for permission to access user data and, if permission is granted, the malware can send data to the attackers,” wrote Positive Technologies.

Amongst the findings, it was discovered that protection mechanisms are the “weak spot” in mobile applications, as the majority of vulnerabilities are discovered during the design state and “result from failure to “think through” security-related questions”.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said:

“In 2018, mobile apps were downloaded onto user devices over 205 billion times. Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information.

“However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. Stealing data from a smartphone usually doesn’t even require physical access to the device.

“We recommend that users take a close look when applications request access to phone functions or data. If you doubt that an application needs access to perform its job correctly, decline the request. Users can also protect themselves by being vigilant on not opening unknown links in SMS and chat apps, and not downloading apps from third party app stores. It’s better to be safe than sorry.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus