New report reveals disparity between mobile app security perception and reality

While 84% of consumers and IT execs believe mobile health apps are secure, 90% test positive for two critical security risks, according to Arxan Technologies research

Concern has been raised over mobile health apps after new research revealed most test positive for critical security problems.

Arxan Technologies has published its 5th Annual State of Application Security Report based on the analysis of 126 popular mobile health and finance apps from the US, UK, Germany, and Japan, as well as a study examining security perspectives of consumers and app security professionals.

And the results reveal a wide disparity between consumer confidence in the level of security incorporated into mobile health and finance apps and the degree to which organisations address known application vulnerabilities.

While the majority of app users and app executives believe their apps to be secure, nearly all the apps Arxan assessed, including popular banking and payment apps and regulatory body-approved health apps, proved to be vulnerable to at least two of the top 10 serious security risks.

The research findings included:

  • A combined 84% of mobile app users and mobile app executives believe their mobile health and finance apps are ‘adequately secure,’ and 63% believe that app providers are doing ‘everything they can’ to protect their apps
  • 90% of the mobile health and finance apps tested had at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. More than 80% of the health apps tested that were approved by the US Food and Drug Administration (FDA) or the UK NHS were also found to have at least two of the OWASP Mobile Top 10 Risks
  • 98% of the mobile apps tested lacked binary protection – this was the most-prevalent security vulnerability identified. 83% of the mobile apps had insufficient transport layer protection. Such vulnerabilities could result in application code tampering, reverse-engineering, privacy violations, and data theft. In addition to sensitive data being taken, the vulnerabilities could lead to a health app being reprogrammed to deliver a lethal dose of medication, or a finance app to redirect the transfer of money
  • 80% of mobile app users would change providers if they knew the apps they were using were not secure. 82% would change providers if they knew alternative apps offered by similar service providers were more secure

Of the health-specific apps tested, those approved by regulatory/governing bodies are just as vulnerable as other mobile apps. 80% of the apps tested that were approved by the NHS did not adequately address at least two of the OWASP Mobile Top 10 Risks.

Android apps were shown to be more secure than iOS apps. 59% of the Android mobile finance apps tested had at least three OWASP Mobile Top 10 Risks, whereas 100% of the iOS apps tested had at least three top risks.

In its research, Arxan found few geographical discrepancies in mobile app security across the US, UK, Germany, and Japan, and iOS apps were shown to be at least as vulnerable as Android apps.

Most of the mobile health apps were susceptible to application code tampering and reverse-engineering. 100% of the apps approved by the NHS lacked binary protection, which could result in privacy violations, theft of personal health information, and tampering.

“Mobile apps are often used by organisations to help keep customers ‘sticky,’ yet in the rush to bring new apps to market, organisations tend to overlook critical security measures that are proving crucial to consumer loyalty,” said Patrick Kehoe, chief marketing officer at Arxan Technologies.

“Our research in Arxan’s 2016 State of App Security Report demonstrates that mobile app security is an important element in customer retention. Baking in robust mobile app security is not only a smart technology investment to keep the bad guys out, but also a smart business investment to help organisations differentiate from the competition and to achieve customer loyalty based on trust.”