Despite hacks, study finds mobile security is still terrible

Bluebox study finds nearly no travel apps have encrypted data, and many had vulnerable code

Technology trends and news by Steven Loeb
September 15, 2015
Short URL:

There have been so many big cyber security hack happening over the last few years, from Target to Sony Pictures to Ashley Madison, to name just a few, you would think that security would be on everyone's mind now.

Sadly that is simply not the case, even with the overwhelming evidence that it should, and a new study out from mobile app security and analytics company Bluebox on Tuesday highlights over vulnerable we all are, especially on mobile.

Focusing specifically on travel apps, the the mobile app security and analytics company, found gaping security holes for apps in this sector.

Out of 10 Android apps, only one of them encrypted the data that was stored on mobile devices. Out of 10 iOS apps, not one of them did. On top of that only two of the ten Android apps and one of the ten iOS apps employed certificate pinning, which the company said is "a key capability for securing app data in transit."

"One of the primary things that apps should be doing is making sure data writing is encrypted. We also want to make sure that the data is not easily accessible at all," Andrew Blaich, lead security analyst at Bluebox Security, told me in an interview.

"Only one app did encryption on data, but in that case the key was hard-coded into the source code, which means that someone could easily decrypt all the data from that."

The study also found that four of the 10 Android apps and, six of 10 iOS apps, contained code that could enable admin functionality that was not intended for a normal user to access, and would grant special privileges for the end-user if enabled.

"Depending on the app, someone might be able to disable things that might charge you money, or see logging info that would give them more info on how things worked in the app," Blaich said. "They could go ahead and disable encryption. It  opens up functionality that developers dont' want to let normal people enable."

Of all 20 apps, not one of them incorporated anti-tampering measures. In both cases, attackers could activate restricted functionality and take full control of apps to alter them for their own gain or launch attacks on other apps. 

The other big problem: that, on average, the app vendor created only 30 percent of the app code, while the remaining 70 percent of code was made up of third-party components.

"We picked travel as because it aligns with peak travel season. There's going to be a lot of holiday traveling, and going back to school and it affects a lot of users, both consumers and enterprise employees," Blaich told me. 

"With travel apps, you make a reservation for an airline or hotel and that is personal info that is stored on the device, that is sent over a network connection and is also storied on servers on that app. That created potential where ab attacker can get data from." 

The company decided to focus specifically on travel apps for this particular study, for a few reasons, but Blaich also said that the same thing would be found in other categories as well, and that Bluebox will eventually put out studies on those as well.

"We were curious to see how the apps out there were being used, and if they were doing any kind of security on top of them," said Blaich. 

"We wanted to know, is the app protecting itself? For example, someone can modify an app, make a malware version, which can then be distributed through phishing. None of these apps had protections in place so engineers could insert code, go ahead and redistribute it out, either to a specific person or to a larger group."

Of course, this all begs the question: if security has been in the news so much lately with the aforementioned hackings, why haven't developers started being more careful about this?

"Security, in the history of computers, has always been an afterthought. Essentially, you  have developers who are not security experts. They don't know what extra stuff would need to be done," Blaich told me.

"They trust that the device is going to keep them protected but we know that, first, you cant trust the device. Operating systems might have patched some vulnerabilities, but not all. Second, developers want to develop a nice user experiences, and security comes at a price, meaning having someone who knows how to build these features, as well as extra time which might make them miss their deadline."

So what should developers do? Bluebox has some recommendations, including that they implement data encryption for all app data and that they remove any code that isn’t necessary to the operation of the app.

It also things developers should add “self-defending” capabilities to mobile apps to protect app data and defend against and respond to emerging mobile attacks. And, of course, they should also make security part of the development and update process from the beginning, rather than making it an afterthought.

"Mobile app security is still in its infancy and there are a lot of things being done that put you, as a user, as as well as your data, and the corporation who makes the app, at risk," said Blaich.

"It is becoming necessary for developers to know what to do with the app, and for employees to know they are where getting apps from with a higher confidence level. If  someone sends you a link to an app, it's best not to click that link. We want to make sure developers are aware of what's happening with their app and the security wrapped around it."

(Image source: