Enterprise mobile apps riddled with sloppy data security

Nine out of 10 business-focused applications for mobile devices are using poor encryption and data protection policies that could put organizations at risk for devastating data leaks.

Security vendor Zimperium studied some 54,000 applications for Android and iOS and found what it termed an “alarming” number of instances in which user and company data could potentially be exposed through data leaks.

“Unlike data breaches, which typically result from external intrusion attempts, data leaks often stem from negligence, poor security practices or inadequate data handling processes within the applications themselves,” the Zimperium team explained.

To that end, the researchers discovered a number of issue which could potentially serve as the source of leaks. In one instance, the team found 10 Android apps that were not only collecting credentials, but exposing company AWS credentials.

Such back-end security shortcomings can potentially be catastrophic, as we have seen mobile user data breaches occur as the result of a compromise of the AWS server hosting cloud data.

Additionally, it was found that more than 100 Android apps were relying on cloud services which were misconfigured or left exposed, potentially allowing attackers to access stored data.

The biggest issue, however, was the use of encryption. The researchers found that 88% of the apps they tested used encryption techniques that did not adhere to industry best practices.

This included such mistakes as keeping hard-coded cryptographic keys stored locally on the device, using the same keys on multiple occasions, and relying on insecure random number generators to create new keys.

In other cases, the apps were found to be using outdated encryption algorithms that would potentially allow intercepted or stolen keys to be deciphered by threat actors and leveraged for further attacks on an organization.

“These vulnerabilities create opportunities for attackers to intercept, decrypt, and exploit sensitive data, potentially leading to unauthorized access to enterprise systems and information,” the Zimperium team noted.

As a result, the Zimperium team warns that organizations are being left vulnerable not only to the loss of data through leakage, but also to enforcement action from violating compliance standards or large-scale data breaches due to compromised credentials that provide a foothold for threat actors.

The vendor recommends that organizations take a close look at enterprise apps before clearing them for employee use. This includes checking an app’s SDKs and cloud service integrations and policies. Additionally, it is recommended that administrators examine the app’s encryption algorithm and the way in which it is implemented and configured within the app.