//
you're reading...
Information Security, IT & TECHNOLOGY

Insecure Mobile Apps: An Urgent Call for Best Practices in App Development


(ISC)2-Logo

App Dev

Application security continues to be a growing concern according to respondents of the latest (ISC)2 2015 Global Information Security Workforce Study.  Consistent with the past two (ISC)² studies in 2011 and 2013, application vulnerabilities and malware are at the top of the list. These concerns are trending upward as 72 percent of survey respondents in the 2015 study selected this vulnerability and threat as either a top or high concern. As mobile platforms increasingly become the choice for delivering services, applications on the mobile devices are also a top concern for information security professionals.

As more sensitive data and transaction data is transmitted on mobile communication channels, the security risks associated with unreliable communications, such as public Wi-Fi, have to be addressed. Secure Sockets Layer/Transport Layer Security (SSL/TLS) has been widely used for authentication and encryption. However, fraudsters can set up fake Wi-Fi access points and fake Secure Sockets Layer (SSL) certificates to conduct man-in-the-middle (MITM) attacks to capture sensitive data.

App Blog Fig 1

Fig.1 Testing Environment – Simulate MITM attack; Source: “Best Practice Guide (SSL Implementation) for Mobile App Development” jointly published by PISA & HKCERT

In view of the growing concerns, Hong Kong Professional Information Security Association (PISA), the (ISC)2 Hong Kong Chapter, the Special Interest Group of PISA and Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) conducted a study on transaction security of mobile applications in Hong Kong. Based on our target scope of the study and search criteria, we tested a total of 130 mobile apps. One-third of mobile apps that involved payment transactions and personal information collection were found to be insecure. Thirty-four percent were vulnerable (i.e. vulnerable and serious); and 62.5 percent of financial securities apps did not validate the SSL certificates. With a vision to raise the awareness of public and mobile developers on the security of SSL implementation of mobile apps, we also released a report on “Best Practice Guide (SSL Implementation) for Mobile App Development” for mobile app owners and developers to use as a reference.

The collaboration between PISA & HKCERT was a perfect match, as PISA was responsible for providing technical advice on the Guide while HKCERT utilized its proven incident response mechanism for the study. While conducting the study, we were in contact with regulatory agencies and organizations in public and private sectors to follow up on rectifying the vulnerabilities found in the mobile apps.

App Blog Fig 2

Fig.2 Level Distribution of 130 Apps

The release of the report is only the beginning of our efforts to raise the awareness of mobile apps security. If we, as information security professionals, can conduct this study in various economies and compare the results, we can help raise attention and foster collaboration between government, regulatory and industry stakeholders in regards to application security. — Frankie Wong, CISSP, and Eric Fan

For more information about the study, the full report and Best Practice Guide are available at:

HKCERT Security Bloghttps://www.hkcert.org/my_url/en/blog/15092402

September 2015 PISA Journalhttp://issuu.com/pisajournal/docs/pisa_j22

About the authors:

Frankie Wong, CISSP, (frankie.wong@pisa.org.hk), Vice-Chairperson, PISA, Hong Kong

Eric Fan (eric.fan@pisa.org.hk), Hon. Secretary & Treasurer, PISA, Hong Kong

[(ISC)² Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 113,291 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,953 other followers

Twitter Updates

Archives

November 2015
M T W T F S S
« Oct   Dec »
 1
2345678
9101112131415
16171819202122
23242526272829
30  
%d bloggers like this: