Most mobile financial and health apps have critical vulnerabilities, Arxan report finds


Most mobile financial and health apps contain critical vulnerabilities, according to a new report from app security provider Arxan Technologies.

The 2016 State of Application Security Report report found in an analysis of 126 popular mobile health and finance apps that 90 percent of the apps carried at least two of the Open Web Application Security Project's Mobile Top 10 Risks.

In addition, more than 80 percent of the health apps tested that were approved by the U.S. Food and Drug Administration or the U.K.'s National Health Service were found to have at least two of the OWASP Mobile Top 10 Risks.

Almost all of the mobile apps tested lacked binary protection, while 83 percent had insufficient transport layer protection. Other vulnerabilities included weak server side controls, insecure data storage,unintended data leakage, poor authorization and authentication, broken cryptography, client side injection, security decisions via untrusted inputs, and improper session handling. These vulnerabilities could lead to application code tampering, reverse-engineering, privacy violations, data theft and other malicious activity.

Despite the insecure state of most mobile apps, 84 percent of mobile app users and mobile app executives believe that their apps are "adequately secure," and 63 percent believe that app providers are doing "everything they can" to protect their mobile apps.

Further, the report found that users would likely make a change if they knew their app was insecure. Eighty percent of users would change providers if they knew their apps were not safe, and 82 percent said they would change if they knew another app that performed a similar function was more secure.

For its survey, Arxan polled in the U.S., U.K., Germany and Japan through a third-party research organization 815 consumers who use mobile health and finance apps and 268 IT decision makers who produce mobile health and mobile finance apps.

For more:
- check out the Arxan release
- read the Arxan report

Related Articles:
MobileIron integrates Pradeo app security service into EMM platform
Mobile apps are a certainty, so your security needs to be too
MetaIntelli integrates mobile app security product with MobileIron's EMM platform