According to statistics, in 2018, mobile applications were downloaded to users’ devices more than 200 billion times. According to Marketing Land, 57% of the time spent in digital space is the time spent on programs in smartphones or tablets.
Mobile devices are firmly established in our lives: messengers, banking, business applications, personal offices of mobile operators – with the modern pace of life, we use these applications almost daily.
According to Juniper Research, the total number of users of mobile banking applications is approaching two billion, which is about 40% of the total adult population. Every third (34%) Russian citizen over 18 years of age uses the mobile bank.
Developers pay great attention to the design of software products for our gadgets, trying to make them as convenient as possible. People are eager to install mobile applications and register with them, but few ordinary users think about the security of data that we trust the manufacturers of these applications.
Positive Technologies experts regularly analyze the security of mobile applications. This report presents the statistics obtained in the course of testing the security of mobile applications for iOS and Android in 2018.
- High risk vulnerabilities are found in 38% of mobile applications for iOS and 43% of applications for Android platforms.
- Most security issues are common to both platforms. Unsecured data storage is a major drawback, detected in 76% of mobile applications. Passwords, financial information, personal data and personal correspondence are at risk.
- A hacker rarely needs physical access to a smartphone to steal data: 89% of vulnerabilities can be exploited using HPOs.
- Most of the vulnerabilities are related to security mechanism errors (74% and 57% for iOS and Android applications, respectively, and 42% for server parts). Such vulnerabilities are laid down at the design stage, and their elimination will require significant changes in the code.
- Risks arise not only because of individual vulnerabilities on the client or server; threats are often caused by several seemingly insignificant flaws in different parts of the mobile application, which together can lead to serious consequences, including financial losses for users and reputational losses for the manufacturer.
- The success of a cyberattack on a mobile application depends directly on the user’s own attention to data security. A prerequisite for hacking may be increased privileges or downloaded programs from an unofficial source.
How mobile applications work
Mobile application development is a trend, its technologies are constantly evolving. Most modern solutions have client-server architecture. The client works under the mobile operating system; most often it is Android or iOS.
The client part is loaded on the device from the so-called app store – a specialized site where developers place their systems.
From the point of view of an ordinary user, the program installed on the smartphone is a mobile application, because it is with it that he interacts directly: makes purchases, pays bills, and looks through the mail. But in reality, there is another component, which is commonly called a server.
The server part is on the side of the developer. Often its role is performed by the same software that is responsible for the generation and processing of content on the site.
In other words, most often the server part is a web application that communicates with the mobile client via the Internet through a special interface (API).
The server can rightfully be considered the main part: here the information is processed and stored; besides, it is responsible for synchronization of user data between devices.
Vulnerabilities of client parts
- 60% of vulnerabilities are concentrated in the client side
- 89% of vulnerabilities can be exploited without physical access to the device
- 56% of vulnerabilities can be exploited without administrative rights (jailbreak or root)
Android applications with critical vulnerabilities are slightly more common than iOS applications (43% vs. 38%).
However, this difference is not significant, and the overall level of security of the client parts of mobile applications for Android and iOS is approximately the same. About a third of all vulnerabilities in the client portions of mobile apps for both platforms have a high level of risk.
Unsafe use of interprocess communication is a common critical vulnerability that allows an attacker to remotely access data processed in a vulnerable mobile application. Let’s look at it in more detail.
The Android operating system provides a mechanism for interaction between application components via messages (Intent class objects).
If broadcasting is used for message exchange, the sensitive data contained in these messages can be compromised by malware that has registered its BroadcastReceiver component.