© 2016 NowSecure. All rights reserved.1

2016 NowSecure Mobile Security Report

TA B L E O F C O N T E N T S

Introduction: Security in a mobile world 2Mobile security requires new methods 4Mobile security snapshot 5 System issues 6 1. Google Android 6 2. Apple iOS 7 Configurationissues 8 Appissues 8 1.Leakyappsandsocialengineering 9 2.Anoteonappcontainerization 9 Networkissues 9Detailed app vulnerability findings 10 Methodology 10 Overviewofappsecurityweaknesses 12 Securityweaknessesbyappcategory 14 1. Business 14 2.Finance 15 3.Games(aggregated) 16 4. Shopping 17 5.Social 18Conclusion 19

I.II.

III.

IV.

V.

A.

B.

C.

D.

A.

B.

C.

2

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

ITandsecurityprofessionalswhomanageandsecurepersonalandcorporate-ownedmobile

devicesforenterpriseshaveadifficultjob.Peoplewanttouseawiderangeofdifferent

devicesandmobileappstoaccessenterpriseassets,interactwithcorporatedata,and

collaboratewiththeircolleagues.Becausemobilebeganasaconsumertechnology,many

deviceslackthesecurityandadministrativefunctionsthatITandsecurityteamsuseto

managetraditionalendpointssuchaslaptopsanddesktops.

Thespeed,volume,andvarietyofdevicescomingonlineisincredible.BenedictEvans,an

analystatAndreessenHorowitz,summeditupwellwhenhetitledapresentation,“Mobileis

eatingtheworld.”1

Themobiletidalwavewillnotsubsideanytimesoon,andenterprisesneedtoprepare

themselves.In2015,TechProResearchreportedthat74percentoforganizationsallow,or

plantoallow,employeestousetheirpersonalmobiledevicesforwork.7Employeeswantto

usetheirowndevices,andenterpriseswanttorealizethebenefitsofincreasedproductivity

thatcomewiththebring-your-own-device(BYOD)approach.

IndiscussionaroundBYOD,animportantpointisoftenoverlooked.Moreimportantthan

whoownsthedeviceishowitisusedandhowitissecured.Enterpriseriskisincreasingas

agreatervarietyofdevicesrunningmoreappsfromuntrustedsourcesconnectandprocess

sensitivedata.Tightlycontrollingalldevicesandlimitingappstoasmallwhitelistissimply

notviableforallscenarios.

I. Introduction: Security ina mobile world

• ThenumberofmobiledevicesonEarthhassurpassedthenumberofpeople

living on it2

• In2015moreGooglesearchesoccurredonmobiledevicesthanoncomputers

in 10 countries3

• 87percentoftimespentusingmobiledevicesisspentusingapps4

• Anaverageof53,309mobileappswerereleasedontheAppleAppStoreeach

month in 20155

• Forresterpredictedpeoplewoulddownloadmorethan226billionappsin20156

Consider the following:

of organizations allow, or plan to allow, employees to use their personal mobile devices for work

of time spent using mobile devices is spent using apps

74%

87%

3

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Wepresentthisreport,gleanedfromourdatabaseofmobilesecurityintelligence,tohelp

ITandsecurityprosmakeinformeddecisionsaboutmanagingandsecuringmobiledevices,

mobileapps,andtheirenterprises’mobileecosystem.

EnterpriseITandsecurityteamsshouldtakedatapointssuchastheseintoconsiderationas

theydevelopandmanagetheirmobilesecuritystrategies.

ABOUT THIS REPORT

• 24.7percentofmobileappsincludeatleastonehighrisksecurityflaw

• Theaveragedeviceconnectsto160uniqueIPaddresseseveryday

• 35percentofcommunicationssentbymobiledevicesareunencrypted

• Businessappsarethreetimesmorelikelytoleaklogincredentialsthanthe

averageapp

• Gamesareone-and-a-halftimesmorelikelytoincludeahighrisk

vulnerabilitythantheaverageapp

Some of our eye-opening statistics regarding mobile insecurity include:

of communications sent by mobile devices are unencypted

35%

4

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Mobileendpointsdifferfromtraditionalendpointsinanumberofways:

Thetraditional,malware-focusedapproachtonetworksecuritydoesnottranslatetomobile.

AccordingtoVerizon’s2015DataBreachInvestigationsReport,only“anaverageof0.03

percentofsmartphonesperweek—outoftensofmillionsofmobiledevicesontheVerizon

network—wereinfectedwith‘higher-grade’maliciouscode.”8Focusingonmaliciousapps

leavesouttoomanyimportantaspectsofmobilesecurity.

WefoundedNowSecureonadifferentapproachtomobilesecurity,whichwecalltheSCAN

Principle.SCANstandsforSystem,Configuration,AppsandNetwork.Systemvulnerabilities

includesecurityflawsinmobileoperatingsystems.Configurationvulnerabilitiesinclude,

forexample,adevicethatdoesnotrequireapasscodeforaccessorisjailbroken.App

vulnerabilitiesconsistofriskyappspronetoman-in-the-middleattacksorappsthatstore

sensitiveinformationinsecurelyorsenddataunencrypted.Finally,networkvulnerabilities

includeinsecureWi-Ficonnectionsthatmightallowanattackertointercepttrafficfroma

device.

II. Mobile security requiresnew methods

The traditional, malware-focused approach to network security does not translate to mobile.

• Lackofadministrative,or“root,”access

• Complex,drawn-outpatchingcyclesfordeviceupdates

• Operatingsystem(OS)access-controlthatlimitsthefunctionalityofsecurity

apps

• Constantconnectivity,frequentlytraversinginsecureanduntrustednetworks

• Abroadattacksurfacespanningdevices,apps,andback-endservicesand

infrastructure

5

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

We’vestructuredourreporttohighlightourfindingsacrosseachdomainofNowSecure’s

SCANPrincipleformobilesecurity.Muchofthedatacomesfromourproprietarycollection

ofmobilesecuritydata,statisticsandtrends.OurNowSecureIntelligencedatabasegathers

andcorrelatesmorethan140milliondatapointseachdayfromusersofourNowSecure

Protectappinmorethan180countries.Theappperformsanonymous,non-invasive

securityassessmentsofthemobiledeviceonwhichit’sinstalled.Thistroveofdata

highlightsdevicehealthtrends,mobiledevicesecurityacrossregions,operatingsystemsin

use,vulnerabilityprevalence,andtheIPaddressestowhichdevicesconnectwithorwithout

permission.9

InsectionIV,“Detailedappfindings,”wedivedeepintoananalysisofvulnerabilitiesinmore

than400,000appsavailableontheGooglePlayappstore.Wetestedtheseappsusing

ourowndynamicanalysissystemthatperformsautomatedanalysisofiOSandAndroid

applicationsatscale.10

III. Mobile security snapshotapps were tested for vulnerabilities using our dynamic analysis system

400,000

6

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Google AndroidGoogleleadsthedevelopmentofAndroid,anopensourcesoftwarestackformobile

devices.Lastyear,GoogleCEOSundarPichaiannouncedthat1.4billionpeoplenowuse

Android.11Android6.0Marshmallowisthemostrecentversionoftheplatform,following

Android 5.0 Lollipop.

ThefollowingAndroidstatisticsgiveyouasenseofjusthowmanypeopleusetheOS:

SYSTEM ISSUES

SecurityissuespersistwithintheAndroidOS.Statisticsfromouropen-sourceappthatchecks

adeviceforrecentOSvulnerabilities,Vulnerability Test Suite(VTS)forAndroid,showthat82

percentofAndroiddeviceswerevulnerabletoatleastoneof25OSflawsforwhichVTStests.

Thosedevicescouldbepronetohundredsmorevulnerabilitiesthattheappdoesn’tassess.

Unfortunately,asignificantamountoftimecanpassbetweenwhenavulnerabilityisfound

towhenit’sactuallypatched.Onceapatchisdeveloped,itmustbepassedthroughoriginal

equipmentmanufacturers(OEMs)andwirelesscarrierslikeVerizon,AT&TandT-Mobile.

Patchescantakemanymonthsormorethanayeartomaketheirwaytousers’devices.Even

then,OEMsorcarrierssometimeschoosenottopatchdevices.Suchalengthypatchlifecycle,

orthealtogetherabsenceofapatch,leavesusersexposedtoattacksanddatatheft.

Data collected from users of the NowSecure Protect app in January 2016.

of Android devices tested by the Vulnerability Test Suite for Android had at least one of 25 vulnerabilities

people now use Android, says Google CEO Sundar Pichai

82%

1.4 BILLION

• 8outofevery10phonesintheworldusetheAndroidoperatingsystem12

• Androidcurrentlyhasanestimated1.6millionappsavailableonGooglePlay13

• Only43.8percentofAndroidusershaveadoptedAndroidLollipopaccordingto

NowSecure mobile security intelligence

7

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Apple iOSAppleiOSrepresentstheothermajormobileOSplatform.Basedonourmobilesecurity

intelligence,82.8percentofiOSusershaveadoptediOS9andsubsequentupdates.This

datapointdoesnotensurethataparticularversionofiOSissecure-butshowstherateof

updatesismeasurablyfaster.

VulnerabilitiesstillexistoniOSdevices.AccordingtoananalysisofdatafromCVEDetails,

afreesecurityvulnerabilitydatabase,AppleiOShadthemostvulnerabilitiesin2015with

375.14That’snearlythreetimesmorethanAndroid,whichhad130.Whiletheoverall

numberofCVEswashigherforiOS,thatstatisticdoesnotnecessarilyaccountfortherisk

levelofeachvulnerability.

InNovember2015,securityresearcherCharlieMillerreleasedamaliciousappontothe

AppleAppStoretodemonstratethatrisksstillexistwithintheiOSecosystem.15 While

Applelatersuspendedhimfromitsdeveloperprogram,theexperimentemphasizesthata

developercouldsneakamaliciousapppastApple’ssecuritychecks.

Overall,securityflawsinmobileoperatingsystemscoupledwiththedifficultiesposedby

fragmentationandpatchschedulesonbothAndroidandiOSmustbetakenintoaccount

when securing your mobile ecosystem.

Data collected from users of the NowSecure Protect app in January 2016.

of iOS users have updated to iOS 9

82.8%

8

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Usersandhowtheyconfiguretheirdevicescanalsothreatenthesecurityofenterprises.

Ausercancompromisesecurity,compoundingriskwheninsecureappsareinvolved.For

example,wefindthat43percentofmobileusersdonotuseapasscode,PIN,orpatternlock

ontheirdevice.Ifauserdoesn’tenableoneofthesesecurityfeaturesandsomeonesteals

orfindsthedevice,theywouldhavemostlyunfetteredaccesstothedataonthedevice,

includingSMSmessages,emails,geo-locationdata,andphotos.Mostsecurityfeaturesona

mobiledevice,includingencryptionandremotewipe,isultimatelydependentonhavingset

auserpasscode.

Otherconfigurationissuescanimpactdevicesecurity,includingencryptionsettings,the

enablementofUSBdebugging,andappsinstalledfromunknownsources.Altogetherthe

configurationplaysakeypartinactivatingthesecuritycapabilitiesofthemobileOS.

Hereweprovideahigh-levelsummaryofthesecurityofmobileapps,basedonourin-depth

appvulnerabilityfindingswhichareexplainedinthe“DetailedAppVulnerabilityFindings”

sectionofthisreport.

Wedefineleakyappsasmobileapplicationsthattransmitorstoreprivateuserinformation

inaninsecuremanner.Securityfailuresmightincludeman-in-the-middlevulnerabilitiesand

insecuredatatransmissionorstorage.Intentionallyornot,legitimateappscancollectand

transmitlocation,deviceidentifiers,personalcontacts,andmore.

Wedefinehighrisksecurityflawsasissuesthatexposedatathatamaliciousindividual

couldusetogatherprivate,sensitiveinformationand/ormonitorauser’sactivity.

Inouranalysisofmorethan400,000appsavailablefromtheGooglePlaystore:

CONFIGURATION ISSUES

APP ISSUES

• 10.8percentofallappsleaksensitivedataoverthenetwork

• 24.7percentofmobileapplicationshaveatleastonehighrisksecurityflaw

• 50.0percentofpopularappssenddatatoanadnetworkincludingbutnot

limitedtophonenumbers,IMEInumber(auniqueidentifierassignedtocellular

devices),calllogs,locationcoordinates,andmore

of mobile users do not use a passcode, PIN, or pattern lock on their device

Legitimate apps can leak your location, device identifiers, personal contacts, and more

43%

9

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Leaky apps and social engineering Anypieceofpersonaldataleakedbyamobileappshouldconcernusallbecauseit’san

invasionofprivacy.However,theinformationthatamobileappmightleakcanprove

valuabletoattackersinmultipleways.Personaldataleakedbymultipleappscanbeused

asreconnaissanceinformationtobeusedinsocialengineeringschemes.Forexample,if

theuseristargeted,credentialsleakedbyaproductivityappmightgrantanattackeraccess

toacacheofsensitiveinformation.AhackercanpotentiallyobtainausernameandGPS

location,allowingthemtounlockothersensitiveinformationaboutauser.

A note on app containerizationAppcontainerizationinvolvesstoringencrypteddataonamobiledevicewithinan

encryptedstorage“container”separatefromotherdataandappsonthedevice.Accessto

thecontainerrequiresauthenticationmakingitinaccessiblewithoutvalidcredentials.IT

teamscanthencontrolbusinessdataseparatefrompersonaldataonemployeedevices.

Containerizationalsohasbenefitsbeyondcontrolofdata:organizationscanwipecontainer

data,revokeaccesstospecificdata,fulfillindustryandregulatorycompliancerequirements,

managemultipletypesofdevicesandplatforms,andincreaseemployeeaccesstoimportant

data.

Appcontainerizationaloneshouldnotbecountedontoprotectmobileendpoints,

however,asit’sonlyonepieceofasecuremobileecosystem.Containerizationsoftwarehas

substantialcoststoinstallandmaintain,andrequiresuserstogothroughadditionalsteps

toaccessneededdata,whichcanresultinapooruserexperiencesandabandonment.In

addition,appcontainerization,ifrelieduponalone,canserveasasinglepointoffailure:

asecurecontaineronaninsecuremobiledeviceyieldsaninsecurecontainer.Formore

informationaboutappcontainerizationandwhereitmightfitintoyourmobilesecurity

strategy,seetheNowSecurewhitepaper,“Four Myths of Containerization.”16

Oneofmobile’smostbeneficialaspects,continualconnectivity,isalsooneofitsgreatest

weaknesses.OurdatashowsthathalfofmobiledevicesconnecttounsecuredWi-Fieach

month,whichexposesdevicestodatalossandmanipulation.Evenifadeviceconnects

totheInternetusingasecureconnection,it’sastonishingtonotealloftheconnections

devicesandappsmakewithserversaroundtheworld.Theaveragemobiledeviceconnects

toapproximately160uniqueserverseveryday.Anyoneofthoseconnectionscouldexpose

yourenterprisetorisk.Inaddition,35percentofthedatatransmittedviathoseconnections

is unencrypted.

NETWORK ISSUES

A secure container on an insecure mobile device yields an insecure container

Half of all mobile devices connect to unsecured Wi-Fi each month

10

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Ourdetailedappfindingscomefromtheanalysisofmorethan400,000appspublished

ontheGooglePlaystore.WeevaluatedtheseappsusingNowSecure’sautomatedapp

securitytestingsystem.Thescalablesystemallowsustotestmobileapplicationsforhigh

risksecurityandprivacyproblemsincludingthesendingofsensitivedatawithoutproper

encryption.Eachappisautomaticallytestedonaphysicaldevicetoreducefalsepositives

andavoidinstanceswhereanappavoidsexecutingfunctionsbecauseitdetectsthatitis

runningonanemulator.

Aspartofourdata-gatheringandanalysis,wehaverecordeddistinctissuesforeach

application.Weclassifytheseissuesashighrisksecurityflawsastheyallexposedataa

maliciousindividualcouldusetogatherprivate,sensitiveinformationormonitorauser’s

activity.Dataleaksincludeinformationanattackercouldobtaineitheroverthenetworkor

directly from the device itself.

Thefollowingchartdetailstheissuesevaluatedaspartofthisappsecuritytestingstudy.

METHODOLOGY

IV. Detailed appvulnerability findings

High risk security flaws expose data a malicious individual could use to gather private, sensitive information or monitor a user’s activity

11 © 2016 NowSecure. All rights reserved.

SENSITIVE DATA ISSUES:

EmailleakThe app leaks the user's email address.

UsernameleakThe app leaks the user’s username associated with that application.

PasswordleakThe app exposes the user’s password for that application.

IMEIleakIMEI stands for International Mobile Station Equipment Identity and is used by a GSM digital cellular network to identify valid devices.

NameleakThe app leaks the user’s first and/or last name.

GPSleakThe app leaks GPS data potentially allowing for the tracking of a user’s location.

MACaddressleakThe app exposes the device’s media access control (MAC) address, which is a unique identifier assigned to network interfaces for communications on the device.

NETWORK ISSUES:

ImproperTLSusageImproper validation of TLS can result in partial or complete degradation of a connection's privacy and authenticity.This can result in leaking sensitive data such as credit card information and increasing the attack surface significantly(i.e., code considered by the server to be secure could be manipulated).

.Zipfiles

.Zip files refer to an app that allows the installation of a .zip file. Unvalidated .zip files might allow for the modifying of code or app parameters (e.g., altering the IP address to which communications are sent).

FILE SYSTEM ISSUES:

World-readablefilesA file with world-readable permissions enabled would allow anyone to read that file’s contents.

World-writablefilesA file with world-writeable permissions enabled would allow anyone to overwrite that file’s contents, which can leadto arbitrary code execution.

OTHER ISSUES:

ArbitrarycodeexecutionThis allows an attacker with write-only permissions to execute code in the context of the victim app.

DirectorytraversalcontentprovidersApps share content that is exported by default and allows other apps on the device to request and obtain sensitive information.

Runningsuperuser(SU)The app attempts to run as superuser (SU), potentially enabling root access on your device.

12

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Ourautomatedappsecuritytestingsystemalsoallowsustogathermetadataaboutanapp

includingitscategoryandnumberofdownloads,whichallowedustofilterandgroupthe

informationaswehavebelow.

Weexaminedtheresultsofsecuritytesting400,000mobileappsandrecordedthe

followingprevalenceofhighrisksecurityissuesinthoseapps.

Weidentifiedatleastonehighriskissueinalmostoneinfourmobileapps.Outofallthe

mobileappswetested,13.3percenthadfilesystemissues.Theprevalenceofsensitivedata

leakandnetworkissuesinallmobileappswerelowerthanotherissuesat10.7percentand

3.8percentrespectively.

OVERVIEW OF APP SECURITY WEAKNESSES

We identified at least one high risk issue in almost one in four mobile apps

13

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Thechartbelowillustratesthequantityofissuesfoundbytypeforthemostpopularapps

ontheGooglePlaystore.We’vedefinedpopularappsasthosewithmorethan1million

downloads.Intotal,wefound16,036highriskissuesamongthesepopularapplications.

Thischartillustratesthatmobileappscontinuetoleakusernames,passwords,andemail

addresses.Thisisparticularlyconcerningbecausemanyusersreusethesameusername

andpasswordfordifferentapplications.Thecompromiseofauser’scredentialsforoneapp

couldeasilyleadtothecompromiseofanotherapporwebaccount.

16,036high risk issues were found in the most popular apps

14

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

BusinessAppsintheBusinesscategoryimproveproductivityandperformbusinessfunctionssuch

asscanningdocuments,sharingandstoringfiles,recordingfinancialtransactions,managing

schedules,andotherbusinesstasks.

Wetested5,104appswithintheBusinesscategory.Usersinstallanaverageof1.6business

appsontheirmobiledevices.Wefoundatleastonehigh-riskvulnerabilityin27.6percent

ofbusinessapps,whichis2.8percenthigherthanintheaverageapp.Lookingatspecific

issues,businessappsarethreetimesmorelikelytoleakusernamesandpasswordsthanthe

averageapp.

Business apps are 3 times more likely to leak usernames and passwords than the average app

Weexaminedtheresultsofsecuritytesting400,000mobileappsandrecordedthe

followingprevalenceofhighrisksecurityissuesinthoseapps.

SECURITY WEAKNESSES BY APP CATEGORY

15

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

FinanceAppsintheFinancecategoryincludebankingapplications,paymentapps,andinsurance

apps.Theseappsmightstorecreditcardinformation,allowforsendingcurrency,andsave

personalbankinginformation.

Wetested5,201appswithinGooglePlay’sFinancecategory.Wefindthatusersinstall

anaverageof1.8financeappsontheirdevice.Financeappsweremoresecurethanthe

averageappillustratedbyourfindingatleastonehighriskvulnerabilityinonly16.9percent

ofthem,whichis7.8percentlowerthanintheaverageapp.Weidentifiedfilesystemissues

inonly10.1percentoffinanceapps,3.3percentlessthantheaverageapp.Only4.2percent

ofthefinanceappswetestedleakedsensitivedata,whichis6.6percentlessthanthe

average.

Finance apps were more secure than the average app, only showing one high risk vulnerability in 16.9 percent of applications, 7.8 percent lower than the average app

16

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

Games (aggregated)TheGooglePlaystoreincludes17distinctgamescategories.We’veaggregatedourfindings

acrossthosecategoriesintoasingleGamescategoryhere.Gameappsfeaturein-app

purchases,presentadstousers,andsaveuserinformationasaprofileforplaying

specificgames.

Wetested56,964appswithintheGamescategory.Wefindthat5.2gamesappsare

installedontheaveragedevice.Ourfindingsshowthatgameappsare1.5timesmorelikely

tohaveatleastonehighriskvulnerabilitythantheaverageapp.Filesystemissuesare

presentin17.1percentofgamesappscomparedto13.3percentinallapps.

Whatconcernsusmostaboutthegameappsisthat32.8percentofappsinthecategory

leaksensitivedata,whichisthreetimesasmuchastheaveragemobileapp.Gameappsare

alsoninetimesmorelikelythantheaverageapptohaveanetworkissue.

of apps in the Games category leak sensitive data, which is three times as much as the average mobile app

32.8%

17

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

ShoppingAppsintheShoppingcategoryincludeappsfromretailersusedtopurchasegoods,services,

andmore.Youcanusetheseappstobrowseitems,submitreviews,makepurchases,or

createandsaveauserprofileforfutureshopping.

Wetested2,947appsintheShoppingcategory.Ourresearchshowsthattheaverage

devicehastwoshoppingappsinstalled.Shoppingappsare1.5timesmorelikelytohaveat

leastonehighriskvulnerabilitycomparedtotheaverageapp.Inaddition,24.8percentof

theshoppingappswetestedpossessedfilesystemissues,whichis1.9timeshigherthan

theaverageapp.

Apps in the Shopping category are 1.5 times more likely to have at least one high risk vulnerability compared to the average app

18

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

SocialAppsthatallowuserstoparticipateinsocialmediamakeuptheSocialcategory.These

applicationssharemessages,photos,videos,andothermediathroughpopularsocialmedia

platforms.

Wetested4,503appswithinGooglePlay’sSocialcategory.Usersinstallanaverageof

3.7socialappsontheirmobiledevice.Wefoundatleastonehighriskvulnerabilityin

30.5percentofsocialapps-5.8percentmorethanintheaverageapp.Comparedtoapps

overall,socialappsare4.1timesmorelikelytoleakausername,3.8timesmorelikelyto

leakapassword,and4.7timesmorelikelytoleakauser’semailaddress.

Social apps are 4.1 times more likely to leak a username, 3.8 times more likely to leak a password, and 4.7 times more likely to leak a user’s email address

19

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

WefoundedNowSecurefocusedsolelyonmobilesecurity.Ourcompanymissionisto

securemobiledevicesandappsandprotectthepeoplethatusethem.Ourmobileapp

testing,devicemonitoring,forensicsandsecurityintelligencecapabilitiesprovideuswitha

uniquesetofmobilesecuritydata.

Wepublishedthisreporttosharesomeofthatdataandtheresultinginsightswiththe

public.Wealsoaimtohelpenterprisesmanageandsecurethemobiledevicesandapps

thatconnectwiththeircorporateassetseachday.ITandsecurityteamsshouldtakethe

followingkeypointsawayfromthe2016NowSecureMobileSecurityReport:

• Mobilesecurityrequiresadifferentapproachnotfocusedonmalware.

Leakyappsthatstoreortransmitsensitivepersonalandcorporatedatain

aninsecuremannerareoffargreaterconcernatthispointintime.

• Evenlegitimateappswithoutintentionallymaliciousfunctionalitythatare

downloadedfromofficialappmarketplacescanincludehighrisksecurity

issues.

• Mobilesecurityrequiresidentifyingandremediatingsecurityissuesin

deviceOSsandconfigurations,theappsinstalledonthosedevices,andthe

networkconnectionsthosedevicesmakeeachday.

V. Conclusion Leaky apps that store or transmit sensitive personal and corporate data in an insecure manner are of far greater concern than malware

20

Connect with us: www.nowsecure.cominfo@nowsecure.com© 2016 NowSecure. All rights reserved.

SOURCES

http://a16z.com/2014/10/28/mobile-is-eating-the-world/

http://www.independent.co.uk/life-style/gadgets-and-tech/news/there-are-officially-

more-mobile-devices-than-people-in-the-world-9780518.html

http://adwords.blogspot.com/2015/05/building-for-next-moment.html

https://www.comscore.com/Insights/Presentations-and-Whitepapers/2015/The-2015-

US-Mobile-App-Report

http://www.pocketgamer.biz/metrics/app-store/app-count/

http://blogs.forrester.com/satish_meena/15-06-22-consumers_will_download_more_

than_226_billion_apps_in_2015

http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/

http://www.verizonenterprise.com/DBIR/2015/

https://www.nowsecure.com/intelligence/

https://www.nowsecure.com/blog/2015/12/17/finding-mobile-vulnerabilities-at-

scale/

http://www.ubergizmo.com/2015/09/over-1-4-billion-people-are-now-using-android/

http://www.cnet.com/news/google-io-by-the-numbers-1b-android-users-900m-on-

gmail/

http://www.statista.com/statistics/266210/number-of-available-applications-in-the-

google-play-store/

http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-

mac-os-x-ios-and-flash/

http://www.zdnet.com/article/after-latest-iphone-hack-charlie-miller-kicked-out-of-

ios-dev-program/

https://info.nowsecure.com/containerization-four-myths/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16