Corporate Android Apps Not All Secure
Some mobile Android apps from Fortune 500 companies do not adhere to security best practices, finds a recent analysis by IT consulting firm RIIS.
Most of the malware targeting Android infects devices that download apps originating from sources other than the Google Play Store. Yet even apps that come from trusted sources can have security problems – as evidenced by an Android App Security Index produced by IT consulting firm RIIS.
The index, which ranks 20 corporate Android apps from Fortune 500 companies like Delta, Walmart and Wells Fargo based on how well they adhere to mobile security best practices, found that 16 of the apps had room for improvement. Just four apps, from Chase, Wells Fargo, State Farm and the IRS, had no security issues.
Perhaps because of strict regulatory requirements, apps from financial services companies had few security issues and none considered critical, said Godfrey Nolan, founder and president of RIIS and author of "Decompiling Android," noting that these apps do not store any login information or sensitive user data on mobile devices.
"I was happy to see that most of the financial companies were taking it seriously and by and large doing the right thing, so there's always hope," he said.
Risky Android Apps
The index shows which apps have any of 10 key mobile security risks identified by the Open Web Application Security Project (OWASP), including weak server side controls, broken cryptography and improper session handling. RIIS found that the lowest-rated apps, from StubHub, Walmart, Speedway, Livenation/Ticketmaster, Delta and Geico, each had three of the OWASP issues.
Especially worrisome, Nolan said, are apps that expose user login information such as those from Delta and Geico.
"I would not like someone getting access to my boarding card or being able to cancel my flight. Geico's apps also allows you to show your insurance card on the app, so I would not want someone to gain access to that," he said. "The secret to good mobile security is simply do not store any sensitive user information on the phone and do not store any encryption keys in the code on the phone as someone will find it. Delta's and Geico's apps fail on both accounts."
While the Delta and Geico apps encrypt the login information stored on the phone, the encryption key can be found by decompiling the code, which could be done if a hacker could access an unlocked phone, Nolan explained. Thus, he suggested, it's a good idea for smartphone users to enable screen lock.
Also, he added, "Make sure you have a good password on your phone, and always wipe your phone if it's lost."
While making users aware of security issues is important, Nolan said, mobile developers are the primary intended audience.
"The goal is to get security on the mobile developers' radar. Everyone on this list who had an issue was contacted. Nobody took any steps until we started broadcasting our findings to the media, he said. "It reminds me of similar issues with Web server security back in the late '90s. It's all about education."
Since his company provides services that involve helping companies identify and solve mobile security issues with their applications, Nolan said, "Of course I'd be lying if I didn't say there was a marketing element in here too."
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Jeff Goldman
August 12, 2013
The vulnerability lies in a component of Android responsible for generating secure random numbers.