Recent research from security vendor Zimperium has unveiled troubling findings about the state of encryption and data protection policies in mobile business applications. Analyzing approximately 54,000 applications designed for Android and iOS, Zimperium identified that a staggering nine out of ten lack sufficient protective measures, rendering organizations vulnerable to significant data leaks. This research highlights the pressing need for businesses to reassess their mobile application security protocols.
Unlike data breaches, which often arise from external hacking attempts, data leaks are frequently the result of negligence and inadequate security practices within the applications themselves, according to Zimperium’s findings. The researchers uncovered numerous vulnerabilities, including cases where unauthorized access was granted to sensitive information. Notably, they discovered ten Android applications that not only collected user credentials but also inadvertently exposed Amazon Web Services (AWS) credentials, a significant concern for organizations utilizing cloud infrastructures.
The implications of these security lapses can be dire. Instances of mobile user data breaches are becoming increasingly common due to misconfigurations, particularly of AWS servers that host critical cloud data. Zimperium’s research additionally revealed that over a hundred Android applications were relying on poorly configured cloud services, making it easier for attackers to access stored information.
One of the most alarming discoveries was the widespread misuse of encryption. The analysis determined that 88% of the tested applications utilized encryption methods that fell short of industry best practices. This included problematic practices such as storing hard-coded cryptographic keys locally on devices, reusing keys across multiple sessions, and employing insecure random number generators for creating new keys. Furthermore, many applications were found using outdated encryption algorithms that could expose intercepted keys, giving adversaries an opportunity to exploit this data for further attacks.
Zimperium warns that these vulnerabilities not only leave organizations at risk of data leaks but also expose them to potential regulatory sanctions stemming from non-compliance with data protection standards. Additionally, compromised credentials can serve as entry points for threat actors, escalating the potential for large-scale data breaches.
Given these vulnerabilities, Zimperium advises organizations to conduct thorough evaluations of enterprise apps prior to their deployment for employee use. This assessment should include a careful review of the application’s software development kits (SDKs) and integrations with cloud services, as well as a meticulous analysis of the encryption algorithms employed and their implementation within the app.
The incident underscores a critical need for organizations to improve their cybersecurity posture by taking proactive steps in application security. By adopting a more stringent review process for mobile applications and ensuring adherence to secure coding practices, companies can mitigate the risk of data breaches and enhance their overall resilience against cyber threats. In alignment with the MITRE ATT&CK framework, businesses should be aware that attacks leveraging these vulnerabilities could involve tactics such as initial access through credential harvesting and persistence through inadequate encryption methods, ultimately jeopardizing sensitive organizational information.
