Most apps have vulnerabilities outside of their source code, warns HP
Nearly 80 percent of apps reviewed by HP contained vulnerabilities outside of their source code, indicating that misconfigured software is a growing security problem for enterprises.
In addition, 56 percent of the apps tested have weaknesses that revealed information about the application, its implementation or its users, according to the HP's Cyber Risk Report 2013 released on Monday.
Close to half of mobile apps examined by HP used encryption improperly. Mobile app developers often do not use encryption when storing sensitive data on mobile devices, instead using weak algorithms or misusing stronger encryption capabilities, judges HP Security Research.
Unfortunately, hybrid development frameworks for mobile apps do not address many well-known security issues, HP warns.
Varying definitions of "malware" make risk analysis difficult. HP examined a half million mobile Android apps and found discrepancies between how antivirus engines and mobile platform vendors classify malware. This complicates the task of blocking malware from entering the corporate networks.
For Java users, sandbox bypass vulnerabilities were the most prevalent and damaging, judges HP. Attackers are ramping up their exploitation of Java by simultaneously targeting multiple known and zero day vulnerabilities in combined attacks to breach specific targets.
"Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface. The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace," says Jacob West, chief technology officer with HP Enterprise Security Products.
- check out HP's Cyber Risk Report 2013 (reg. req.)
Most mobile banking apps have security vulnerabilities, says IOActive Labs
Most enterprise mobile apps are vulnerable to common exploits, warns HP
IT pros fret about corporate mobile app security