Android and iOS apps are equally bad at guarding user data and maintaining security, finds a new report from Boston-based information-security consulting firm Positive Technologies.
"An alarming number of apps are critically insecure," said Positive Technologies researcher Leigh-Anne Galloway in a press statement accompanying the report. "Stealing data from a smartphone usually doesn't even require physical access to the device."
A slightly larger percentage of Android apps (43% of those tested) than iOS apps (38%) had high-risk vulnerabilities, but the report says the overall difference was trivial. More iOS apps (74%) than Android apps (57%) suffered from weaknesses in security mechanisms. Overall, 76% of the apps failed to secure user data properly, which "could enable hackers to steal passwords, financial information, personal data, and correspondence."
Positive Technologies recommends that smartphone users examine the permissions each app requests and deny those that the app doesn't obviously need; use truly random PIN codes, and biometric authentication whenever possible; not root or jailbreak a device; update the operating system and apps regularly; not allow other persons or parties to install apps; and not download apps from third-party app stores.
Most users, and even many security experts, consider the software installed on a smartphone to be the "app." But just as important to many apps' functions is what happens on developers' back-end servers, which do much of the processing and authorization for the client-device apps.
"In reality, we can regard the server as the more important component," the report states. "It is where information is stored and processed. The server is also responsible for synchronizing user data between devices."
A whopping 86% of the server-side functions Positive Technologies tested were vulnerable to routine cross-site scripting attacks, while 43% either leaked information, failed to properly authorize access, or both.
Taken together, the flaws on both the client side and the server side create a rich environment for attackers.
"Hackers seldom need physical access to a smartphone to steal data," the report says. "Eighty-nine percent of vulnerabilities [found] can be exploited using malware."
It all adds up
Overall, it wasn't one big flaw here or there that reduced a smartphone app's security, the report said. Rather, it was the cumulative result of many smaller errors.
"Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application," the report said. "Taken together, these oversights can add up to serious consequences."
The Positive Technologies researchers examined eight Android apps and nine iOS apps, as well as the server-side components of seven smartphone apps. (If both the iOS and Android versions of an app were examined, they would likely share the same back-end servers.) The app developers fully cooperated with the analyses, although the apps examined were not named in the report.