New research evaluates security posture of more than 36,000 mobile applications; highlights need for built-in data protection

SAN FRANCISCO, Calif. – RSA Conference – March 1, 2016 – Hewlett Packard Enterprise (HPE) today published results from the [HPE Mobile Application Security Report](https://saas.hpe.com/sites/default/files/resources/files/Mobile Report ver 10.2.pdf) 2016 finding that more than half of mobile applications are collecting alarming quantities of data. The study leveraged HPE Security Fortify on Demand to scan more than 36,000 iOS and Android mobile apps, and revealed the impact of increasing data collection, as well as recommendations for how organizations, mobile application developers and enterprises can build security in to better protect their data.

As mobile applications become more prevalent in the work environment, it’s essential that organizations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise. Adversaries are shifting their focus to mobile platforms, with more than 10,000 new Android threats discovered per day in 2015, and an iOS malware growth rate of more than 230 percent ¹ .

“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt ( @raidschmitt), vice president and general manager, HPE Security Fortify at Hewlett Packard Enterprise. “With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organizations take a proactive approach to data security to better protect both personal and corporate data.”

Top findings from the report

• A majority mobile applications track your location, but not all of them need to . More than 50 percent of the scanned applications accessed geolocation data² . This can create serious privacy implications in the event of an attack, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users. While it makes sense for a traffic application to track location, the study found that more than 70% of education applications on iOS did as well. This is disturbing as education applications are often marketed towards children.
• Games and weather applications are collecting calendar data. HPE found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
• Ad and analytics frameworks put your most sensitive data at risk. Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
• Logging methods can expose data to unauthorized third parties. During the early development of applications, logging can be critical to the process of correcting buggy code, but once an application is running on a user’s device, it becomes a significant disclosure vulnerability. Approximately 95 percent of the applications scanned included logging methods.

Recommendations for Safe Usage of Mobile Applications

Mobile applications are here to stay, and developers, organizations and consumers alike should be cognizant of how this affects the security of personal and corporate data. HPE recommends the following to enterprises and consumers for safe development and usage of mobile apps:

Enterprises:

• Build security in – start with secure code. The surest way of securing mobile applications is to code securely in the first place, and security test early and often. It’s significantly less expensive to build security into the development process than adding it to mobile applications already in production.
• Implement automated scans and penetration testing. Organizations should build a holistic approach to their security programs that includesapplication scanning and penetration testing. Automated scanning helps catch both simple and complex mobile application security mistakes that are being made, while penetration testing can determine the most important vulnerabilities.

Consumers:

• Select applications wisely. If an application wants access to information that it should not need or that you do not understand, do not use the application. This could expose everything from contact data to geolocation data, which may not be necessary for the application to function.
• Be wary of applications storing large amounts of data. Avoid using applications that appear to store a lot of data locally or access data that they shouldn’t.

Methodology

The full methodology is detailed in the [report](https://saas.hpe.com/sites/default/files/resources/files/Mobile Report ver 10.2.pdf). Additional information about HPE SecurityFortify on Demand and other HPE Security solutions andservices are available here, as well as at the HPE booth No. 3411, at the RSA Conference 2016 this week in San Francisco. Keep up with conference happenings by following the hashtag #RSAC and @HPE_Security

About HPE Security

HPE Security helps organizations protect their business-critical digital assets by building security into the fabric of the enterprise, detecting and responding to advanced threats, and safeguarding continuity and compliance to effectively mitigate risk. With an integrated suite of market-leadingproducts, services,threat intelligence and security research, HPE Security empowers organizations to balance protection with innovation to keep pace with today’s idea economy.