More than half of mobile applications are collecting “alarming” quantities of data, a new study indicates.
Hewlett Packard Enterprise’s HPE mobile application security report 2016 analyzes scans of more than 36,000 iOS and Android mobile apps, and reveals the impact of increasing data collection.
As mobile applications become more prevalent in the work environment, it’s essential that organizations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise. Adversaries are shifting their focus to mobile platforms, with more than 10,000 new Android threats discovered per day in 2015, and an iOS malware growth rate of more than 230%.
“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt, vice president and general manager, HPE Security Fortify at Hewlett Packard Enterprise.
“With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organizations take a proactive approach to data security to better protect both personal and corporate data.”
Not all apps need to track your location
A majority mobile applications track your location, but not all of them need to. More than 50% of the scanned applications accessed geolocation data. This can create serious privacy implications in the event of an attack, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users.
While it makes sense for a traffic application to track location, the study found that more than 70% of education applications on iOS did as well. This is disturbing as education applications are often marketed towards children.
The report also found that calendar data was accessed by more than 40% of the iOS games and more than 50% of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
Ad and analytics frameworks are commonplace in application development, with more than 60% of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.