Application security continues to be a growing concern according to respondents of the latest (ISC)2 2015 Global Information Security Workforce Study. Consistent with the past two (ISC)² studies in 2011 and 2013, application vulnerabilities and malware are at the top of the list. These concerns are trending upward as 72 percent of survey respondents in the 2015 study selected this vulnerability and threat as either a top or high concern. As mobile platforms increasingly become the choice for delivering services, applications on the mobile devices are also a top concern for information security professionals.
As more sensitive data and transaction data is transmitted on mobile communication channels, the security risks associated with unreliable communications, such as public Wi-Fi, have to be addressed. Secure Sockets Layer/Transport Layer Security (SSL/TLS) has been widely used for authentication and encryption. However, fraudsters can set up fake Wi-Fi access points and fake Secure Sockets Layer (SSL) certificates to conduct man-in-the-middle (MITM) attacks to capture sensitive data.
Fig.1 Testing Environment – Simulate MITM attack; Source: “Best Practice Guide (SSL Implementation) for Mobile App Development” jointly published by PISA & HKCERT
In view of the growing concerns, Hong Kong Professional Information Security Association (PISA), the (ISC)2 Hong Kong Chapter, the Special Interest Group of PISA and Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) conducted a study on transaction security of mobile applications in Hong Kong. Based on our target scope of the study and search criteria, we tested a total of 130 mobile apps. One-third of mobile apps that involved payment transactions and personal information collection were found to be insecure. Thirty-four percent were vulnerable (i.e. vulnerable and serious); and 62.5 percent of financial securities apps did not validate the SSL certificates. With a vision to raise the awareness of public and mobile developers on the security of SSL implementation of mobile apps, we also released a report on “Best Practice Guide (SSL Implementation) for Mobile App Development” for mobile app owners and developers to use as a reference.
The collaboration between PISA & HKCERT was a perfect match, as PISA was responsible for providing technical advice on the Guide while HKCERT utilized its proven incident response mechanism for the study. While conducting the study, we were in contact with regulatory agencies and organizations in public and private sectors to follow up on rectifying the vulnerabilities found in the mobile apps.
Fig.2 Level Distribution of 130 Apps
The release of the report is only the beginning of our efforts to raise the awareness of mobile apps security. If we, as information security professionals, can conduct this study in various economies and compare the results, we can help raise attention and foster collaboration between government, regulatory and industry stakeholders in regards to application security. — Frankie Wong, CISSP, and Eric Fan
For more information about the study, the full report and Best Practice Guide are available at:
HKCERT Security Blog: https://www.hkcert.org/my_url/en/blog/15092402
September 2015 PISA Journal: http://issuu.com/pisajournal/docs/pisa_j22
About the authors:
Frankie Wong, CISSP, (firstname.lastname@example.org), Vice-Chairperson, PISA, Hong Kong
Eric Fan (email@example.com), Hon. Secretary & Treasurer, PISA, Hong Kong