hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015While Privacy Violation was the most prevalent aggregated category, Insecure Storage:Insufficient Data Protection (54 percent) was the most commonly observed vulnerability overall.In addition, all of the top 10 common vulnerabilities above are captured by the top five, exceptfor Weak Cryptographic Hash (43 percent), Web Server Misconfiguration: Information Disclosure(33 percent), and Null Dereference (30 percent). Most developers tend to pay attention to themost critical vulnerabilities. The following chart represents a subset of the vulnerabilitiesconsidered to pose considerable risk that were found in the mobile applications.Figure 25. The 10 most critical vulnerabilities in mobile apps noted in 2014Insecure transport 24%Null dereference21%Unreleased resource: StreamsInsecure transport: HTTP GETInsecure storage: Lacking data protectionInsecure storage: Insufficient data protection18%17%16%16%Privacy violation: Screen cachingPrivacy violation13%14%Privilege management: Unnecessary permissions11%Privilege management: Android data storage11%0% 5% 10% 15% 20% 25%Focusing on the vulnerabilities considered critical to mobile applications, the list becomes verydifferent from the 10 most common vulnerabilities. Insecure Transport takes the top spot with24 percent of applications exhibiting critical issues (compared to the 32 percent overall thathad insecure transport issues). Interestingly, the second most commonly observed criticalvulnerability was Null Dereference (21 percent), which can lead to an application crash whenexecuted. Furthermore, outside of the top five aggregated categories above, unreleasedstreams (18 percent) were common along with excessive (Unnecessary Permission, 11 percent)and risky (Android Data Storage, 11 percent) privilege settings.57