hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015While smartphones can be used for viewing, manipulating, and storing local data, these devicesalso free users to interact with a world of interconnected resources from the convenienceof their hands. Through communication protocols, both sensitive and benign data is sharedbetween remote services and our devices. The third most common aggregate vulnerabilitycategory is Insecure Transport (66.14 percent), which identifies weaknesses caused by the useof communication protocols that do not protect sensitive data through encryption (such asHTTP instead of HTTPS) or that make use of less secure protocol options.Taking the fourth spot, Insecure Deployment weaknesses were identified in 61.64 percentof the mobile applications studied. Insecure Deployment combines various deploymentconfigurations, settings, and states that result in unnecessary weaknesses. For mobile appsthis may include not using features such as PlayReady DRM, not checking to determine if theapp is running on a jailbroken device, or exhibiting properties that may indicate malicious intent.Rounding out our top five, Poor Logging Practice weaknesses were found in 46.56 percent ofthe mobile applications. The use of standard output often indicates that the application is usingstandard output for debugging and logging rather than structured logging facilities such asandroid.util.Log for Android, or the use of NSLog in iOS. Because standard outputs, and logs,can be read by third parties, developers should always be cognizant of the risks associated withany sensitive information being written.Top 10 mobile application vulnerabilitiesAs shown for Web applications, each category within the taxonomy can be further refined intomore specific vulnerabilities. The following chart depicts the vulnerabilities observed with thehighest frequency in the sample population of mobile applications.Figure 24. The 10 most common vulnerabilities noted in mobile apps in 2014Insecure storage: Insufficient data protection 54%Poor logging practice: Use of a system output stream47%Weak cryptographic hash43%Insecure deployment: Missing jailbreak detection37%Insecure deployment: Known mobile attack surface fingerprintWeb server misconfiguration: Information disclosureInsecure transportPrivacy violation: GeolocationNull dereference34%33%32%31%30%Insecure transport: Defeatable certificate pinning29%0% 10% 20% 30% 40% 50% 60%56
HP Security Research | Cyber Risk Report 2015While Privacy Violation was the most prevalent aggregated category, Insecure Storage:Insufficient Data Protection (54 percent) was the most commonly observed vulnerability overall.In addition, all of the top 10 common vulnerabilities above are captured by the top five, exceptfor Weak Cryptographic Hash (43 percent), Web Server Misconfiguration: Information Disclosure(33 percent), and Null Dereference (30 percent). Most developers tend to pay attention to themost critical vulnerabilities. The following chart represents a subset of the vulnerabilitiesconsidered to pose considerable risk that were found in the mobile applications.Figure 25. The 10 most critical vulnerabilities in mobile apps noted in 2014Insecure transport 24%Null dereference21%Unreleased resource: StreamsInsecure transport: HTTP GETInsecure storage: Lacking data protectionInsecure storage: Insufficient data protection18%17%16%16%Privacy violation: Screen cachingPrivacy violation13%14%Privilege management: Unnecessary permissions11%Privilege management: Android data storage11%0% 5% 10% 15% 20% 25%Focusing on the vulnerabilities considered critical to mobile applications, the list becomes verydifferent from the 10 most common vulnerabilities. Insecure Transport takes the top spot with24 percent of applications exhibiting critical issues (compared to the 32 percent overall thathad insecure transport issues). Interestingly, the second most commonly observed criticalvulnerability was Null Dereference (21 percent), which can lead to an application crash whenexecuted. Furthermore, outside of the top five aggregated categories above, unreleasedstreams (18 percent) were common along with excessive (Unnecessary Permission, 11 percent)and risky (Android Data Storage, 11 percent) privilege settings.57
Page 1 and 2:
BrochureHP SecurityResearchCyber Ri
Page 3 and 4:
HP Security Research | Cyber Risk R
Page 5 and 6: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R
show all

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?