Most mobile apps vulnerable to malware

iOS and Android apps equally vulnerable to being exploited remotely by malware, report reveals

Attackers rarely need physical access to a victim’s smartphone to steal data, according to the latest annual mobile applications security report by Positive Technologies.

Expert testing of iOS and Android mobile applications shows that in most cases, insecure data storage is the most common security flaw in mobile apps, reveals the Vulnerabilities and threats in mobile applications 2019 report.  

Insecure data storage was identified as a vulnerability in 76% of mobile apps and in some cases could enable hackers to steal passwords, financial information, personal data and correspondence.

Although the research found that critical vulnerabilities are slightly more common in Android applications (43%), compared with their iOS counterparts, the report said experts view this difference as minimal, which means the security level of mobile apps on both operating systems is roughly equal.

Of the vulnerabilities found, 89% could be exploited by malware. The risk of infection jumps on rooted and jailbroken devices, but malware can also elevate privileges by itself, the research shows. Once on the victim’s device, malware can ask for permission to access user data and, if permission is granted, the malware can send data to the attackers.

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said: “In 2018, mobile apps were downloaded onto user devices over 205 billion times, and while developers pay painstaking attention to software design in order to give us a smooth and convenient experience, an alarming number of apps are critically insecure because far less developer attention is spent on solving that issue.

“Stealing data from a smartphone usually doesn’t even require physical access to the device, and we therefore recommend that users take a close look when applications request access to phone functions or data. Anyone in doubt that an application needs access to perform its job correctly, should decline the request.”

Read more about mobile malware

Users can also protect themselves by being vigilant and not opening unknown links in text messages and chat apps, said Galloway, and by not downloading apps from third-party app stores. “It is better to be safe than sorry,” she added.

The research also shows that the server side of applications hosted by the developer and responsible for storing, processing and synchronising information, is just as weak as the client side.

Some 43% of server-side components have a poor, or extremely poor, protection level, the research shows, and 33% contain critical vulnerabilities. The most common high-severity vulnerabilities on the server side include insufficient authorisation and information leakage.

Read more on Hackers and cybercrime prevention