More than half of mobile applications collect “alarming quantities” of users’ personal data, although many don’t even need to, unnecessarily increasing data security threats, according to Hewlett Packard Enterprise (HPE) research.
The HPE Mobile Application Security Report 2016 relied on findings from an exercise involving the HPE Security Fortify on Demand system, which scanned more than 36,000 iOS and Android mobile apps.
As mobile applications become more prevalent in the work environment, it’s essential that organisations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise, said HPE.
“With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organisations take a proactive approach to data security to better protect both personal and corporate data.”
According to the report, a majority of mobile applications track your location, but not all of them need to. More than 50 percent of the scanned applications accessed geolocation data. This can create “serious privacy implications in the event of an attack”, HPE said, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users.
While it makes sense for a traffic application to track location, the study found that more than 70 percent of education applications on iOS did as well. “This is disturbing as education applications are often marketed towards children”, said HPE.
And games and weather applications are collecting calendar data. HPE found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
In addition, Ad and analytics frameworks put your most sensitive data at risk, HPE said. Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
HPE said that if an application wants access to information that it should not need or that you do not understand, do not use the application. This could expose everything from contact data to geolocation data, which may not be necessary for the application to function.
“Be wary of applications storing large amounts of data. Avoid using applications that appear to store a lot of data locally or access data that they shouldn’t,” HPE warned.
@AntonySavvas
Security vendor Flashpoint debuts partner programme following $28m funding
Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture
Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”
Ensono highlights importance of mainframes still to major industries
Security vendor VASCO looks to replicate UK and German set up across EMEA
Splunk details investment in Partner+ programme at .conf2017