- All of the top 10 apps fail to use secure data storage to protect Personally Identifiable Information
- All of the top apps contain at least 5 weaknesses of the 28 in total tested
- All of the apps tested are vulnerable to at least three of the OWASP Top 10 Mobile Risks
- 90% of the apps are vulnerable to Man-in-the-Middle attacks due to Certificate Pinning
Wandera, the leader in mobile data security and management, today announced the findings of its comprehensive security assessment of the most popular business apps used on corporate liable devices by enterprise customers across North America, UK, Europe and Asia.
The ten apps analysed in the research are the ten most widely used by enterprise employees around the world, and have been downloaded an estimated 1.4 billion times from the Google Play store. Within Apple’s App Store, they fall within the top 0.05% of all published apps and are primarily classified in the business and productivity categories. The apps were put through an extensive security assessment, using the Open Web Application Security Project (OWASP) Mobile Security Risks as a foundation.
According to the OWASP test, the most common vulnerabilities impacting the ten mobile apps are insecure data storage, insufficient transport layer protection, lack of binary protections and poor authorisation and authentication.
Key findings from the report include:
- 10 out of the 10 apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks, including the two most fundamental issues: data storage security and data transport security.
- 10 out of the 10 apps contain at least five of the 28 weaknesses tested and fail to use secure data storage to protect Personally Identifiable Information.
- 9 out of the 10 apps do not use Certificate Pinning at all, and are therefore vulnerable to Man-in-the-Middle attacks (the single application that does use this protection mechanism fails to implement it properly).
- 8 out of the 10 apps allow the use of weak passwords and 3 out of 10 apps allow the use of weak encryption.
“In our increasingly mobile world, enterprises need to gain complete visibility in order to maintain control of their mobile data, ensure compliance and prevent mobile security threats,” comments Eldar Tuvey, CEO of Wandera. “Security is an essential concern when it comes to mobile app development and it should not be sacrificed for the sake of speed and convenience.”
The report encourages enterprises to take a careful approach to mobile security to ensure devices are protected both on the corporate premises and off. The report concludes that data leaks from poorly designed apps and device vulnerabilities might be used as building blocks in more targeted cyber attacks.
The full report, “Assessing the Security of 10 Top Enterprise Apps Report” is available for download here.