SHARED INTEL: Mobile apps are riddled with security flaws, many of which go unremediated

By Byron V. Acohido

The convergence of DevOps and SecOps is steadily gaining traction in the global marketplace. Some fresh evidence of this encouraging trend comes to us by way of shared intelligence from WhiteHat Security.

Related: The tie between DevOps and SecOps.

Organizations that are all-in leveraging microservices to speed-up application development, on the DevOps side of the house, have begun acknowledging the importance of incorporating SecOps along the way. The most forward-thinking among them are increasingly checking for vulnerabilities in new apps – and finding them, big time.

That’s one of the key revelations in the 2019 WhiteHat Application Security Statistics Report, which I’d place in the category of reports that bear close scrutiny because it is based on the actual in-the-field experiences of WhiteHat’s global customer base. Also, WhiteHat has been generating this report annually since 2006.

Based on 17 million application security scans carried out in 2018, WhiteHat found a 20% increase in vulnerabilities found in the applications that organizations tested for security flaws.

What’s more, based on WhiteHat’s partner, NowSecure’s insight, some 70% of mobile apps were found to leak sensitive data.

The fact that more companies are participating in the hunt for security flaws in new apps is a good thing. However, WhiteHat also found many app vulnerabilities are, today, going unaddressed. Remediation rates actually fell in 2018, as compared to 2017. At the moment, the effort required to secure existing and new apps appears to be overwhelming already short-staffed security teams.

The Dawn of DevSecOps

This field report tells us that, yes, SecOps is gaining traction, with more and more security teams beginning to contribute to the delivery of secure apps. However, many security teams lack the skills, and/or have not yet won corporate backing to bring in the engineering support needed to mitigate the vulnerabilities.

These applications flaws were always there, mind you – WhiteHat found that more than one-third of all application security risks are inherited rather than written – but now they are being flushed out as DevOps and SecOps merge into DevSecOps.

The more progressive security teams are, indeed, tackling remediation. For those teams, the benefits associated with paying a bit of attention to security, up front, have sunk in. Not only can they take pride in contributing to a better experience for end users, they’re also reducing the headaches that go along with having to patch vulnerabilities that turn up, post production.

I had a deep discussion about this with Setu Kulkarni, WhiteHat’s vice president of strategy and business development. We met at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: Your findings show 70% of mobile apps leak data. That seems like a high percentage.


Kulkarni: It is a very high percentage. And the thing is, more often than not, these mobile applications are serving end user needs. We’re using mobile applications to access our bank balances, our schedules, our children’s schedules, whatever it may be. And these mobile applications, at the end of the day, are connecting to many backend systems to pull that data, aggregate it and provide it back to us in a very consumable form.

LW: Lots of sensitive data, data that’s valuable to somebody?

Kulkarni:  Exactly. It’s a lot of valuable data, at least to you and I. It’s my bank balance, your bank balance. It’s your schedules, my schedule. The key, though, is these mobile applications are accessing backend servers over the Internet, mostly, to get to this data on your phones.

LW: Where are these leaks happening and why are they happening?

Kulkarni: The way access to the backend servers get implemented is not always completely secure. So you can almost always do a man-in-the-middle kind of a scenario. You can interject that traffic and get access to a lot of sensitive data. And the other place where this is happening is in the mobile application itself.

Once the mobile application is residing on your phone it becomes a window to all this great data. It’s very easy to get around the mobile application on the phone because the mobile applications, themselves, are not implemented very securely. There are multiple points where data exfiltration is very easy.

LW: Application vulnerabilities were up, but remediations were down in 2019; how so?

Kulkarni: Everybody is talking about applications and application security; obviously the awareness level has gone up. Security teams are more focused than ever on bringing a larger number of applications under their application security program, which means they are testing a larger number of applications and finding more vulnerabilities.

So we’re finding more, but we’re not fixing those vulnerabilities. The application security funding model in organizations still needs to evolve as well. Which means if you’re testing more applications, and finding more vulnerabilities, you’ll need to allocate more budget to go fix these vulnerabilities.

I think the next move is going to be people will start to focus more on remediation; it will be an evolution. Over the next couple of ears, I really hope that we see far more remediation of the critical vulnerabilities that are now being found.

LW: What’s going to compel companies to give more attention to this?

Kulkarni: Application security is now becoming a board-level conversation. Applications are now being recognized as store fronts; they are what’s driving business. Board members and executives are now very concerned about: ‘How quickly am I releasing applications? Are the applications performing well enough? Is the customer experience with the application good?’

LW: Will remediation be a big part of the general security framework, going forward?

Kulkarni: Yes, absolutely. You need to put in place a system that helps scale this remediation, at the same pace as new applications come up and more vulnerabilities are found. You’ve got to go down to a fundamental level, which is educating your developers.

What if you had security-aware developers who could actually write better code in the first place? That would certainly help, and not just in reducing the number of vulnerabilities found. Once a vulnerability is found, the developer would say, ‘Yep, I know how to fix that. I’ve seen that before. Let me go fix it.’


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone