Why the iOS app security fears may be missing the mark
Brett Wickenden, technical operations director, Mubaloo
Last month, a study was released about purported security vulnerabilities in iOS devices. We'd like to clarify that when reading through HP's press release, there is no mention of iOS apps or devices - however, it is being reported that the study singled out iOS apps.
We therefore decided to take a closer look.
The study used HP’s new “Fortify on Demand for Mobile” platform to test the security on 2,107 apps published by 601 companies on the Forbes Global 2,000. The main headline was that 90% of mobile applications have at least one security vulnerability.
The results showed that:
- 86% of the applications accessed potentially private data sources
- 86% lacked binary hardening protection
- 75% of apps did not encrypt data before storing it on the device
- 18% of apps transmitted data over the network without using SSL encryption; of the 82% that used SSL encryption 18% of them did so incorrectly
One slightly hidden statistic that was not highlighted in most of the reports was that 71% of the vulnerabilities were, in effect, problems on the server end of the application and not in the application itself.
None of the issues listed above were found in the 71% of possible server end vulnerabilities. This makes me think that these issues were not discovered during the testing.
It's important to note the results in mobile app security tests like the ones listed above are usually separated into: Critical, High, Medium and Low risks. It would have been more useful to see the percentage breakdown of the levels of vulnerabilities found within the 90% of issues in the study.
To get a better idea of the testing process I went to the HP site www.fortifymyapp.com to have a look at their testing tool. Helpfully, they offer a “test your tool for free” option. On selecting this I was only able to upload a .net application or Java application.
Strangely, the option to upload an iOS application wasn’t available. Not a great start, if they really were testing iOS applications as the majority of news reports appear to point to. To understand whether the results from the study were something to worry about, I looked at their sample report to see which vulnerabilities were being checked for.
None of the vulnerabilities in the report appeared to relate to iOS applications, but instead concentrated on Java and .Net vulnerabilities. I’ve contacted them to see how it’s possible to test an iOS app but am still currently waiting for a response.
Contextually there isn't enough information on the data provided within the tested applications to find out which data was being exposed or at risk. It is possible that the applications tested made use of data that did not require SSL encryption when transmitting. If they are used by large companies, it may be that the data isn’t sensitive.
Data stored on a device running iOS 7 has various levels of encryption, the highest level being password storage. Had the issues of un-ecrypted password storage or the transport of said passwords been of a sufficient volume then it would have been a statistic of it’s own rather than thrown in as an inclusion of all data stored or transported by the 2,107 applications tested.
In summary the report, according to what HP has released, points to web and Java apps rather than any specific native mobile applications. Whether media outlets have then been told that the apps were iOS to create scaremongering or not, we don't know.
As we have currently been unable to test the efficiency of HP’s application security testing product for iOS apps, we are unable to guess if the severity of the issues found during their testing are sufficient enough to back the high level of statistics given in the generalisation of this report.
Mobile app development is still in its infancy and as such the tools available to test mobile apps are very limited. We would recommend anyone looking for mobile app testing services to make sure that what they are paying for caters for the uniqueness of the mobile development languages being produced such as iOS.
If not you may find the tool you are using has been designed for testing normal client and web applications and rebranded. Although these applications have important tests results which should be looked into you can also equally find the results either miss important errors; or lead you down a costly path of investigation that will end up being irrelevant to your product.