- Almost all corporate mobile applications include security risks, warn experts
- The most frequent defects include erroneous cloud storage, hard -coded identification information or obsolete cryptography
- Zimperium shares his advice on how to stay safe
If your business uses mobile applications, there is a good chance that these applications disclose sensitive information and put your operation at risk of data violations, loss of confidence, regulatory fines and a whole band of other headaches.
Zimperium cybersecurity researchers have analyzed more than 17,000 corporate mobile applications and have revealed many transport vulnerabilities such as poorly configured cloud storage, hard-coded identification information or obsolete cryptography, and although it is not linked to a particular platform, there were much more vulnerable iOS applications (11.626 6037 on Android).
By breaking down the figures, the researchers found 83 Android applications with poorly configured or otherwise unprotected cloud storage, and 10 Android applications with exposed AWS identification information.
SharePoint usurpation
Almost all of the applications analyzed used a weak or defective cryptography, and five of the 100 best applications had high severity cryptographic defects. Others, also top 100, had storage directories exposed to the public.
“Our research has revealed that 88% of all applications and 43% of the first 100 use one or more cryptographic methods that do not follow best practices,” said researchers. “In some cases – high severity cryptography defects.”
To avoid these risks, Zimerium suggests that the fleet manager of mobile devices of each company gains visibility in the models of behavior of the applications. In this way, they will be able to identify the defective cloud storage parameters, detect the identification information on display and the API keys and assess the safety of the cloud services.
In addition, they must validate encryption methods and key management, identify obsolete or low algorithms, assess the safety of integrated SDKs, validate third -party cryptographic implementations and monitor known vulnerabilities.
“We cannot change the applications, but we can choose the applications we authorize to ensure the security of our data,” they concluded.
