When you think about bad mobile app security, Android tends to come to mind. The open nature of Android makes it (theoretically) easier for malicious apps to find their way into the app store and onto users’ devices. While intentionally malicious apps may be a problem for Android, when it comes to data leaks and the loss of personal information iOS is actually a bigger security offender, according to Veracode’s recent State of Software Security report. From Computer Weekly:
Surprisingly, 26% of Android apps exhibited information leakage bugs, compared with 42% on iOS. This covers the leakage of personal information such as email, text messages, GPS coordinates, and the content of users’ address books.
“When you install Android, it requests access to certain phone functionality. The app developer has to request explicit access, while on iOS a developer does not have to request access,” said [Chris Eng, vice-president of research at Veracode].
Even when developers take the extra steps to make their apps secure, their approaches may be miss guided. Trying to build in cryptographic keys to protect user data can actually make security worse if not done correctly. This issue is troubling for both major operating systems.
Overall, cryptographic issues affected a sizeable portion of Android (64%) and iOS (58%) applications.
The report warned that using cryptographic mechanisms incorrectly can make it easier for attackers to compromise the application. Cryptographic keys are used to protect transmitted or stored data.
It found that in some applications, developers had hard-coded a cryptographic key directly into a mobile application. Should these hard-coded keys be compromised, any security mechanisms that depend on the privacy of the keys are rendered ineffective.
Mobile app security is complicated. Developers and testers need to keep working to understand the issues and learn how to best address them.