Wandera announced the findings of a comprehensive security assessment of the most popular business apps used on corporate mobile devices by enterprise customers across North America, Europe and Asia.
The ten apps analyzed in the report are very widely used around the world by enterprise employees and have been downloaded an estimated 1.4 billion times from the Google Play store. Within Apple’s App Store, they fall within the top 0.05% of all published apps and are primarily classified in the business and productivity categories.
The ten apps analyzed were put through an extensive security assessment, using the Open Web Application Security Project (OWASP) Mobile Security Risks as a foundation.
According to the OWASP test, the most common vulnerabilities impacting mobile apps are insecure data storage, insufficient transport layer protection, lack of binary protections and poor authorization and authentication.
The insecurity of top enterprise apps
- 10 out of the 10 apps are vulnerable to at least three of the OWASP Top 10 Mobile Risks, including the two most fundamental issues: data storage security and data transport security.
- 10 out of the 10 apps contain at least five of the 28 weaknesses tested and fail to use secure data storage to protect Personally Identifiable Information.
- 9 out of the 10 apps do not use Certificate Pinning at all, and are therefore vulnerable to Man-in-the-Middle attacks (the single application that does use this protection mechanism fails to implement it properly).
- 8 out of the 10 apps allow the use of weak passwords and 3 out of 10 apps allow the use of weak encryption.
Perhaps most notably, the survey results reveal that enterprises should not overlook the fact that corporate data resides in mobile apps making mobile security a critical concern.
To improve mobile security, IT departments need to implement third party safety nets around applications and address data security holistically. It is essential that developers utilize a secure development process and thoroughly test code before releasing it to users.