- Almost all business mobile applications come with safety risks, experts warn
- The most frequent defects include poorly configured cloud storage, encoded credentials or obsolete cryptography
- Zimperium shares his advice on how to stay safe
If your company is using mobile applications, there is a good possibility that these applications filter confidential information and put their complete operation at risk of data infractions, loss of confidence, regulatory fines and a strip of other headaches.
Cybersecurity researchers Zimperium analyzed more than 17,000 business mobile applications, and revealed many transport vulnerabilities, such as poorly configured cloud storage, credentials encoded aloud or obsolete cryptography, and although they are not linked to a particular platform, there were significantly more applications of vulnerable iOS (11,626 in iOS compared to 6037 in Android).
Breaking down the numbers, the researchers found 83 Android applications with poorly configured or without protection cloud storage, and 10 Android applications with exposed AWS credentials.
SPOOFING SHAREPOINT
Almost all applications analyzed used weak or defective cryptography, and five of the 100 main applications had high severity cryptographic failures. Others, also from Top 100, had storage directories exposed to the public.
“Our research found that 88% of all applications and 43% of the 100 main use one or more cryptographic methods that do not follow the best practices,” the researchers said. “In some cases: high severity cryptography defects.”
To avoid these risks, Zimperium suggests that the administrator of the mobile devices fleet of all companies gain visibility in application behavior patterns. In this way, they can identify the poorly configured cloud storage configuration, detect exposed credentials and API keys, and evaluate the security of cloud services integration.
In addition, they must validate encryption methods and key management, identify obsolete or weak algorithms, evaluate the safety of integrated cloud SDK, validate third -party cryptographic implementations and monitor known vulnerabilities.
“We cannot change the applications, but we can choose which applications we allow to guarantee the safety of our data,” they concluded.
