2016 NowSecure Mobile Security Report
Transcript of 2016 NowSecure Mobile Security Report
© 2016 NowSecure. All rights reserved.1
2016 NowSecure Mobile Security Report
TA B L E O F C O N T E N T S
Introduction: Security in a mobile world 2Mobile security requires new methods 4Mobile security snapshot 5 System issues 6 1. Google Android 6 2. Apple iOS 7 Configurationissues 8 Appissues 8 1.Leakyappsandsocialengineering 9 2.Anoteonappcontainerization 9 Networkissues 9Detailed app vulnerability findings 10 Methodology 10 Overviewofappsecurityweaknesses 12 Securityweaknessesbyappcategory 14 1. Business 14 2.Finance 15 3.Games(aggregated) 16 4. Shopping 17 5.Social 18Conclusion 19
I.II.
III.
IV.
V.
A.
B.
C.
D.
A.
B.
C.
2
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
ITandsecurityprofessionalswhomanageandsecurepersonalandcorporate-ownedmobile
devicesforenterpriseshaveadifficultjob.Peoplewanttouseawiderangeofdifferent
devicesandmobileappstoaccessenterpriseassets,interactwithcorporatedata,and
collaboratewiththeircolleagues.Becausemobilebeganasaconsumertechnology,many
deviceslackthesecurityandadministrativefunctionsthatITandsecurityteamsuseto
managetraditionalendpointssuchaslaptopsanddesktops.
Thespeed,volume,andvarietyofdevicescomingonlineisincredible.BenedictEvans,an
analystatAndreessenHorowitz,summeditupwellwhenhetitledapresentation,“Mobileis
eatingtheworld.”1
Themobiletidalwavewillnotsubsideanytimesoon,andenterprisesneedtoprepare
themselves.In2015,TechProResearchreportedthat74percentoforganizationsallow,or
plantoallow,employeestousetheirpersonalmobiledevicesforwork.7Employeeswantto
usetheirowndevices,andenterpriseswanttorealizethebenefitsofincreasedproductivity
thatcomewiththebring-your-own-device(BYOD)approach.
IndiscussionaroundBYOD,animportantpointisoftenoverlooked.Moreimportantthan
whoownsthedeviceishowitisusedandhowitissecured.Enterpriseriskisincreasingas
agreatervarietyofdevicesrunningmoreappsfromuntrustedsourcesconnectandprocess
sensitivedata.Tightlycontrollingalldevicesandlimitingappstoasmallwhitelistissimply
notviableforallscenarios.
I. Introduction: Security ina mobile world
• ThenumberofmobiledevicesonEarthhassurpassedthenumberofpeople
living on it2
• In2015moreGooglesearchesoccurredonmobiledevicesthanoncomputers
in 10 countries3
• 87percentoftimespentusingmobiledevicesisspentusingapps4
• Anaverageof53,309mobileappswerereleasedontheAppleAppStoreeach
month in 20155
• Forresterpredictedpeoplewoulddownloadmorethan226billionappsin20156
Consider the following:
of organizations allow, or plan to allow, employees to use their personal mobile devices for work
of time spent using mobile devices is spent using apps
74%
87%
3
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Wepresentthisreport,gleanedfromourdatabaseofmobilesecurityintelligence,tohelp
ITandsecurityprosmakeinformeddecisionsaboutmanagingandsecuringmobiledevices,
mobileapps,andtheirenterprises’mobileecosystem.
EnterpriseITandsecurityteamsshouldtakedatapointssuchastheseintoconsiderationas
theydevelopandmanagetheirmobilesecuritystrategies.
ABOUT THIS REPORT
• 24.7percentofmobileappsincludeatleastonehighrisksecurityflaw
• Theaveragedeviceconnectsto160uniqueIPaddresseseveryday
• 35percentofcommunicationssentbymobiledevicesareunencrypted
• Businessappsarethreetimesmorelikelytoleaklogincredentialsthanthe
averageapp
• Gamesareone-and-a-halftimesmorelikelytoincludeahighrisk
vulnerabilitythantheaverageapp
Some of our eye-opening statistics regarding mobile insecurity include:
of communications sent by mobile devices are unencypted
35%
4
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Mobileendpointsdifferfromtraditionalendpointsinanumberofways:
Thetraditional,malware-focusedapproachtonetworksecuritydoesnottranslatetomobile.
AccordingtoVerizon’s2015DataBreachInvestigationsReport,only“anaverageof0.03
percentofsmartphonesperweek—outoftensofmillionsofmobiledevicesontheVerizon
network—wereinfectedwith‘higher-grade’maliciouscode.”8Focusingonmaliciousapps
leavesouttoomanyimportantaspectsofmobilesecurity.
WefoundedNowSecureonadifferentapproachtomobilesecurity,whichwecalltheSCAN
Principle.SCANstandsforSystem,Configuration,AppsandNetwork.Systemvulnerabilities
includesecurityflawsinmobileoperatingsystems.Configurationvulnerabilitiesinclude,
forexample,adevicethatdoesnotrequireapasscodeforaccessorisjailbroken.App
vulnerabilitiesconsistofriskyappspronetoman-in-the-middleattacksorappsthatstore
sensitiveinformationinsecurelyorsenddataunencrypted.Finally,networkvulnerabilities
includeinsecureWi-Ficonnectionsthatmightallowanattackertointercepttrafficfroma
device.
II. Mobile security requiresnew methods
The traditional, malware-focused approach to network security does not translate to mobile.
• Lackofadministrative,or“root,”access
• Complex,drawn-outpatchingcyclesfordeviceupdates
• Operatingsystem(OS)access-controlthatlimitsthefunctionalityofsecurity
apps
• Constantconnectivity,frequentlytraversinginsecureanduntrustednetworks
• Abroadattacksurfacespanningdevices,apps,andback-endservicesand
infrastructure
5
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
We’vestructuredourreporttohighlightourfindingsacrosseachdomainofNowSecure’s
SCANPrincipleformobilesecurity.Muchofthedatacomesfromourproprietarycollection
ofmobilesecuritydata,statisticsandtrends.OurNowSecureIntelligencedatabasegathers
andcorrelatesmorethan140milliondatapointseachdayfromusersofourNowSecure
Protectappinmorethan180countries.Theappperformsanonymous,non-invasive
securityassessmentsofthemobiledeviceonwhichit’sinstalled.Thistroveofdata
highlightsdevicehealthtrends,mobiledevicesecurityacrossregions,operatingsystemsin
use,vulnerabilityprevalence,andtheIPaddressestowhichdevicesconnectwithorwithout
permission.9
InsectionIV,“Detailedappfindings,”wedivedeepintoananalysisofvulnerabilitiesinmore
than400,000appsavailableontheGooglePlayappstore.Wetestedtheseappsusing
ourowndynamicanalysissystemthatperformsautomatedanalysisofiOSandAndroid
applicationsatscale.10
III. Mobile security snapshotapps were tested for vulnerabilities using our dynamic analysis system
400,000
6
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Google AndroidGoogleleadsthedevelopmentofAndroid,anopensourcesoftwarestackformobile
devices.Lastyear,GoogleCEOSundarPichaiannouncedthat1.4billionpeoplenowuse
Android.11Android6.0Marshmallowisthemostrecentversionoftheplatform,following
Android 5.0 Lollipop.
ThefollowingAndroidstatisticsgiveyouasenseofjusthowmanypeopleusetheOS:
SYSTEM ISSUES
SecurityissuespersistwithintheAndroidOS.Statisticsfromouropen-sourceappthatchecks
adeviceforrecentOSvulnerabilities,Vulnerability Test Suite(VTS)forAndroid,showthat82
percentofAndroiddeviceswerevulnerabletoatleastoneof25OSflawsforwhichVTStests.
Thosedevicescouldbepronetohundredsmorevulnerabilitiesthattheappdoesn’tassess.
Unfortunately,asignificantamountoftimecanpassbetweenwhenavulnerabilityisfound
towhenit’sactuallypatched.Onceapatchisdeveloped,itmustbepassedthroughoriginal
equipmentmanufacturers(OEMs)andwirelesscarrierslikeVerizon,AT&TandT-Mobile.
Patchescantakemanymonthsormorethanayeartomaketheirwaytousers’devices.Even
then,OEMsorcarrierssometimeschoosenottopatchdevices.Suchalengthypatchlifecycle,
orthealtogetherabsenceofapatch,leavesusersexposedtoattacksanddatatheft.
Data collected from users of the NowSecure Protect app in January 2016.
of Android devices tested by the Vulnerability Test Suite for Android had at least one of 25 vulnerabilities
people now use Android, says Google CEO Sundar Pichai
82%
1.4 BILLION
• 8outofevery10phonesintheworldusetheAndroidoperatingsystem12
• Androidcurrentlyhasanestimated1.6millionappsavailableonGooglePlay13
• Only43.8percentofAndroidusershaveadoptedAndroidLollipopaccordingto
NowSecure mobile security intelligence
7
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Apple iOSAppleiOSrepresentstheothermajormobileOSplatform.Basedonourmobilesecurity
intelligence,82.8percentofiOSusershaveadoptediOS9andsubsequentupdates.This
datapointdoesnotensurethataparticularversionofiOSissecure-butshowstherateof
updatesismeasurablyfaster.
VulnerabilitiesstillexistoniOSdevices.AccordingtoananalysisofdatafromCVEDetails,
afreesecurityvulnerabilitydatabase,AppleiOShadthemostvulnerabilitiesin2015with
375.14That’snearlythreetimesmorethanAndroid,whichhad130.Whiletheoverall
numberofCVEswashigherforiOS,thatstatisticdoesnotnecessarilyaccountfortherisk
levelofeachvulnerability.
InNovember2015,securityresearcherCharlieMillerreleasedamaliciousappontothe
AppleAppStoretodemonstratethatrisksstillexistwithintheiOSecosystem.15 While
Applelatersuspendedhimfromitsdeveloperprogram,theexperimentemphasizesthata
developercouldsneakamaliciousapppastApple’ssecuritychecks.
Overall,securityflawsinmobileoperatingsystemscoupledwiththedifficultiesposedby
fragmentationandpatchschedulesonbothAndroidandiOSmustbetakenintoaccount
when securing your mobile ecosystem.
Data collected from users of the NowSecure Protect app in January 2016.
of iOS users have updated to iOS 9
82.8%
8
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Usersandhowtheyconfiguretheirdevicescanalsothreatenthesecurityofenterprises.
Ausercancompromisesecurity,compoundingriskwheninsecureappsareinvolved.For
example,wefindthat43percentofmobileusersdonotuseapasscode,PIN,orpatternlock
ontheirdevice.Ifauserdoesn’tenableoneofthesesecurityfeaturesandsomeonesteals
orfindsthedevice,theywouldhavemostlyunfetteredaccesstothedataonthedevice,
includingSMSmessages,emails,geo-locationdata,andphotos.Mostsecurityfeaturesona
mobiledevice,includingencryptionandremotewipe,isultimatelydependentonhavingset
auserpasscode.
Otherconfigurationissuescanimpactdevicesecurity,includingencryptionsettings,the
enablementofUSBdebugging,andappsinstalledfromunknownsources.Altogetherthe
configurationplaysakeypartinactivatingthesecuritycapabilitiesofthemobileOS.
Hereweprovideahigh-levelsummaryofthesecurityofmobileapps,basedonourin-depth
appvulnerabilityfindingswhichareexplainedinthe“DetailedAppVulnerabilityFindings”
sectionofthisreport.
Wedefineleakyappsasmobileapplicationsthattransmitorstoreprivateuserinformation
inaninsecuremanner.Securityfailuresmightincludeman-in-the-middlevulnerabilitiesand
insecuredatatransmissionorstorage.Intentionallyornot,legitimateappscancollectand
transmitlocation,deviceidentifiers,personalcontacts,andmore.
Wedefinehighrisksecurityflawsasissuesthatexposedatathatamaliciousindividual
couldusetogatherprivate,sensitiveinformationand/ormonitorauser’sactivity.
Inouranalysisofmorethan400,000appsavailablefromtheGooglePlaystore:
CONFIGURATION ISSUES
APP ISSUES
• 10.8percentofallappsleaksensitivedataoverthenetwork
• 24.7percentofmobileapplicationshaveatleastonehighrisksecurityflaw
• 50.0percentofpopularappssenddatatoanadnetworkincludingbutnot
limitedtophonenumbers,IMEInumber(auniqueidentifierassignedtocellular
devices),calllogs,locationcoordinates,andmore
of mobile users do not use a passcode, PIN, or pattern lock on their device
Legitimate apps can leak your location, device identifiers, personal contacts, and more
43%
9
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Leaky apps and social engineering Anypieceofpersonaldataleakedbyamobileappshouldconcernusallbecauseit’san
invasionofprivacy.However,theinformationthatamobileappmightleakcanprove
valuabletoattackersinmultipleways.Personaldataleakedbymultipleappscanbeused
asreconnaissanceinformationtobeusedinsocialengineeringschemes.Forexample,if
theuseristargeted,credentialsleakedbyaproductivityappmightgrantanattackeraccess
toacacheofsensitiveinformation.AhackercanpotentiallyobtainausernameandGPS
location,allowingthemtounlockothersensitiveinformationaboutauser.
A note on app containerizationAppcontainerizationinvolvesstoringencrypteddataonamobiledevicewithinan
encryptedstorage“container”separatefromotherdataandappsonthedevice.Accessto
thecontainerrequiresauthenticationmakingitinaccessiblewithoutvalidcredentials.IT
teamscanthencontrolbusinessdataseparatefrompersonaldataonemployeedevices.
Containerizationalsohasbenefitsbeyondcontrolofdata:organizationscanwipecontainer
data,revokeaccesstospecificdata,fulfillindustryandregulatorycompliancerequirements,
managemultipletypesofdevicesandplatforms,andincreaseemployeeaccesstoimportant
data.
Appcontainerizationaloneshouldnotbecountedontoprotectmobileendpoints,
however,asit’sonlyonepieceofasecuremobileecosystem.Containerizationsoftwarehas
substantialcoststoinstallandmaintain,andrequiresuserstogothroughadditionalsteps
toaccessneededdata,whichcanresultinapooruserexperiencesandabandonment.In
addition,appcontainerization,ifrelieduponalone,canserveasasinglepointoffailure:
asecurecontaineronaninsecuremobiledeviceyieldsaninsecurecontainer.Formore
informationaboutappcontainerizationandwhereitmightfitintoyourmobilesecurity
strategy,seetheNowSecurewhitepaper,“Four Myths of Containerization.”16
Oneofmobile’smostbeneficialaspects,continualconnectivity,isalsooneofitsgreatest
weaknesses.OurdatashowsthathalfofmobiledevicesconnecttounsecuredWi-Fieach
month,whichexposesdevicestodatalossandmanipulation.Evenifadeviceconnects
totheInternetusingasecureconnection,it’sastonishingtonotealloftheconnections
devicesandappsmakewithserversaroundtheworld.Theaveragemobiledeviceconnects
toapproximately160uniqueserverseveryday.Anyoneofthoseconnectionscouldexpose
yourenterprisetorisk.Inaddition,35percentofthedatatransmittedviathoseconnections
is unencrypted.
NETWORK ISSUES
A secure container on an insecure mobile device yields an insecure container
Half of all mobile devices connect to unsecured Wi-Fi each month
10
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Ourdetailedappfindingscomefromtheanalysisofmorethan400,000appspublished
ontheGooglePlaystore.WeevaluatedtheseappsusingNowSecure’sautomatedapp
securitytestingsystem.Thescalablesystemallowsustotestmobileapplicationsforhigh
risksecurityandprivacyproblemsincludingthesendingofsensitivedatawithoutproper
encryption.Eachappisautomaticallytestedonaphysicaldevicetoreducefalsepositives
andavoidinstanceswhereanappavoidsexecutingfunctionsbecauseitdetectsthatitis
runningonanemulator.
Aspartofourdata-gatheringandanalysis,wehaverecordeddistinctissuesforeach
application.Weclassifytheseissuesashighrisksecurityflawsastheyallexposedataa
maliciousindividualcouldusetogatherprivate,sensitiveinformationormonitorauser’s
activity.Dataleaksincludeinformationanattackercouldobtaineitheroverthenetworkor
directly from the device itself.
Thefollowingchartdetailstheissuesevaluatedaspartofthisappsecuritytestingstudy.
METHODOLOGY
IV. Detailed appvulnerability findings
High risk security flaws expose data a malicious individual could use to gather private, sensitive information or monitor a user’s activity
11 © 2016 NowSecure. All rights reserved.
SENSITIVE DATA ISSUES:
EmailleakThe app leaks the user's email address.
UsernameleakThe app leaks the user’s username associated with that application.
PasswordleakThe app exposes the user’s password for that application.
IMEIleakIMEI stands for International Mobile Station Equipment Identity and is used by a GSM digital cellular network to identify valid devices.
NameleakThe app leaks the user’s first and/or last name.
GPSleakThe app leaks GPS data potentially allowing for the tracking of a user’s location.
MACaddressleakThe app exposes the device’s media access control (MAC) address, which is a unique identifier assigned to network interfaces for communications on the device.
NETWORK ISSUES:
ImproperTLSusageImproper validation of TLS can result in partial or complete degradation of a connection's privacy and authenticity.This can result in leaking sensitive data such as credit card information and increasing the attack surface significantly(i.e., code considered by the server to be secure could be manipulated).
.Zipfiles
.Zip files refer to an app that allows the installation of a .zip file. Unvalidated .zip files might allow for the modifying of code or app parameters (e.g., altering the IP address to which communications are sent).
FILE SYSTEM ISSUES:
World-readablefilesA file with world-readable permissions enabled would allow anyone to read that file’s contents.
World-writablefilesA file with world-writeable permissions enabled would allow anyone to overwrite that file’s contents, which can leadto arbitrary code execution.
OTHER ISSUES:
ArbitrarycodeexecutionThis allows an attacker with write-only permissions to execute code in the context of the victim app.
DirectorytraversalcontentprovidersApps share content that is exported by default and allows other apps on the device to request and obtain sensitive information.
Runningsuperuser(SU)The app attempts to run as superuser (SU), potentially enabling root access on your device.
12
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Ourautomatedappsecuritytestingsystemalsoallowsustogathermetadataaboutanapp
includingitscategoryandnumberofdownloads,whichallowedustofilterandgroupthe
informationaswehavebelow.
Weexaminedtheresultsofsecuritytesting400,000mobileappsandrecordedthe
followingprevalenceofhighrisksecurityissuesinthoseapps.
Weidentifiedatleastonehighriskissueinalmostoneinfourmobileapps.Outofallthe
mobileappswetested,13.3percenthadfilesystemissues.Theprevalenceofsensitivedata
leakandnetworkissuesinallmobileappswerelowerthanotherissuesat10.7percentand
3.8percentrespectively.
OVERVIEW OF APP SECURITY WEAKNESSES
We identified at least one high risk issue in almost one in four mobile apps
13
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Thechartbelowillustratesthequantityofissuesfoundbytypeforthemostpopularapps
ontheGooglePlaystore.We’vedefinedpopularappsasthosewithmorethan1million
downloads.Intotal,wefound16,036highriskissuesamongthesepopularapplications.
Thischartillustratesthatmobileappscontinuetoleakusernames,passwords,andemail
addresses.Thisisparticularlyconcerningbecausemanyusersreusethesameusername
andpasswordfordifferentapplications.Thecompromiseofauser’scredentialsforoneapp
couldeasilyleadtothecompromiseofanotherapporwebaccount.
16,036high risk issues were found in the most popular apps
14
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
BusinessAppsintheBusinesscategoryimproveproductivityandperformbusinessfunctionssuch
asscanningdocuments,sharingandstoringfiles,recordingfinancialtransactions,managing
schedules,andotherbusinesstasks.
Wetested5,104appswithintheBusinesscategory.Usersinstallanaverageof1.6business
appsontheirmobiledevices.Wefoundatleastonehigh-riskvulnerabilityin27.6percent
ofbusinessapps,whichis2.8percenthigherthanintheaverageapp.Lookingatspecific
issues,businessappsarethreetimesmorelikelytoleakusernamesandpasswordsthanthe
averageapp.
Business apps are 3 times more likely to leak usernames and passwords than the average app
Weexaminedtheresultsofsecuritytesting400,000mobileappsandrecordedthe
followingprevalenceofhighrisksecurityissuesinthoseapps.
SECURITY WEAKNESSES BY APP CATEGORY
15
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
FinanceAppsintheFinancecategoryincludebankingapplications,paymentapps,andinsurance
apps.Theseappsmightstorecreditcardinformation,allowforsendingcurrency,andsave
personalbankinginformation.
Wetested5,201appswithinGooglePlay’sFinancecategory.Wefindthatusersinstall
anaverageof1.8financeappsontheirdevice.Financeappsweremoresecurethanthe
averageappillustratedbyourfindingatleastonehighriskvulnerabilityinonly16.9percent
ofthem,whichis7.8percentlowerthanintheaverageapp.Weidentifiedfilesystemissues
inonly10.1percentoffinanceapps,3.3percentlessthantheaverageapp.Only4.2percent
ofthefinanceappswetestedleakedsensitivedata,whichis6.6percentlessthanthe
average.
Finance apps were more secure than the average app, only showing one high risk vulnerability in 16.9 percent of applications, 7.8 percent lower than the average app
16
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
Games (aggregated)TheGooglePlaystoreincludes17distinctgamescategories.We’veaggregatedourfindings
acrossthosecategoriesintoasingleGamescategoryhere.Gameappsfeaturein-app
purchases,presentadstousers,andsaveuserinformationasaprofileforplaying
specificgames.
Wetested56,964appswithintheGamescategory.Wefindthat5.2gamesappsare
installedontheaveragedevice.Ourfindingsshowthatgameappsare1.5timesmorelikely
tohaveatleastonehighriskvulnerabilitythantheaverageapp.Filesystemissuesare
presentin17.1percentofgamesappscomparedto13.3percentinallapps.
Whatconcernsusmostaboutthegameappsisthat32.8percentofappsinthecategory
leaksensitivedata,whichisthreetimesasmuchastheaveragemobileapp.Gameappsare
alsoninetimesmorelikelythantheaverageapptohaveanetworkissue.
of apps in the Games category leak sensitive data, which is three times as much as the average mobile app
32.8%
17
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
ShoppingAppsintheShoppingcategoryincludeappsfromretailersusedtopurchasegoods,services,
andmore.Youcanusetheseappstobrowseitems,submitreviews,makepurchases,or
createandsaveauserprofileforfutureshopping.
Wetested2,947appsintheShoppingcategory.Ourresearchshowsthattheaverage
devicehastwoshoppingappsinstalled.Shoppingappsare1.5timesmorelikelytohaveat
leastonehighriskvulnerabilitycomparedtotheaverageapp.Inaddition,24.8percentof
theshoppingappswetestedpossessedfilesystemissues,whichis1.9timeshigherthan
theaverageapp.
Apps in the Shopping category are 1.5 times more likely to have at least one high risk vulnerability compared to the average app
18
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
SocialAppsthatallowuserstoparticipateinsocialmediamakeuptheSocialcategory.These
applicationssharemessages,photos,videos,andothermediathroughpopularsocialmedia
platforms.
Wetested4,503appswithinGooglePlay’sSocialcategory.Usersinstallanaverageof
3.7socialappsontheirmobiledevice.Wefoundatleastonehighriskvulnerabilityin
30.5percentofsocialapps-5.8percentmorethanintheaverageapp.Comparedtoapps
overall,socialappsare4.1timesmorelikelytoleakausername,3.8timesmorelikelyto
leakapassword,and4.7timesmorelikelytoleakauser’semailaddress.
Social apps are 4.1 times more likely to leak a username, 3.8 times more likely to leak a password, and 4.7 times more likely to leak a user’s email address
19
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
WefoundedNowSecurefocusedsolelyonmobilesecurity.Ourcompanymissionisto
securemobiledevicesandappsandprotectthepeoplethatusethem.Ourmobileapp
testing,devicemonitoring,forensicsandsecurityintelligencecapabilitiesprovideuswitha
uniquesetofmobilesecuritydata.
Wepublishedthisreporttosharesomeofthatdataandtheresultinginsightswiththe
public.Wealsoaimtohelpenterprisesmanageandsecurethemobiledevicesandapps
thatconnectwiththeircorporateassetseachday.ITandsecurityteamsshouldtakethe
followingkeypointsawayfromthe2016NowSecureMobileSecurityReport:
• Mobilesecurityrequiresadifferentapproachnotfocusedonmalware.
Leakyappsthatstoreortransmitsensitivepersonalandcorporatedatain
aninsecuremannerareoffargreaterconcernatthispointintime.
• Evenlegitimateappswithoutintentionallymaliciousfunctionalitythatare
downloadedfromofficialappmarketplacescanincludehighrisksecurity
issues.
• Mobilesecurityrequiresidentifyingandremediatingsecurityissuesin
deviceOSsandconfigurations,theappsinstalledonthosedevices,andthe
networkconnectionsthosedevicesmakeeachday.
V. Conclusion Leaky apps that store or transmit sensitive personal and corporate data in an insecure manner are of far greater concern than malware
20
Connect with us: [email protected]© 2016 NowSecure. All rights reserved.
SOURCES
http://a16z.com/2014/10/28/mobile-is-eating-the-world/
http://www.independent.co.uk/life-style/gadgets-and-tech/news/there-are-officially-
more-mobile-devices-than-people-in-the-world-9780518.html
http://adwords.blogspot.com/2015/05/building-for-next-moment.html
https://www.comscore.com/Insights/Presentations-and-Whitepapers/2015/The-2015-
US-Mobile-App-Report
http://www.pocketgamer.biz/metrics/app-store/app-count/
http://blogs.forrester.com/satish_meena/15-06-22-consumers_will_download_more_
than_226_billion_apps_in_2015
http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/
http://www.verizonenterprise.com/DBIR/2015/
https://www.nowsecure.com/intelligence/
https://www.nowsecure.com/blog/2015/12/17/finding-mobile-vulnerabilities-at-
scale/
http://www.ubergizmo.com/2015/09/over-1-4-billion-people-are-now-using-android/
http://www.cnet.com/news/google-io-by-the-numbers-1b-android-users-900m-on-
gmail/
http://www.statista.com/statistics/266210/number-of-available-applications-in-the-
google-play-store/
http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-
mac-os-x-ios-and-flash/
http://www.zdnet.com/article/after-latest-iphone-hack-charlie-miller-kicked-out-of-
ios-dev-program/
https://info.nowsecure.com/containerization-four-myths/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16