Rassegna stampa
December 18, 2024
Mobisec conducted an analysis of mobile apps in various sectors: healthcare, finance, energy, GDO, and telco. Subjected to nine different security tests, none of the apps were able to pass them all completely.
Treviso, September 17, 2024 – Five industry sectors, namely healthcare, finance, energy, GDO, and telco, nine different security tests conducted: the results of the dry runs (a testing process used to ensure that a system functions correctly and does not cause severe failures) performed using proprietary software by Mobisec‘s ethical hackers, a Treviso-based company specializing in mobile application cybersecurity, are discouraging. None of the tested apps managed to pass all nine tests they were subjected to.
THE TESTS
Mobisec’s team of ethical hackers conducted all of these tests locally, installing the apps on both Android and iOS smartphones. There was no attempt to intrude into the servers. The tests were carried out using several of the tests outlined in the MASTG (Mobile Application Security Testing Guide), which is the manual that includes all the tests to assess whether a mobile app complies with the guidelines established by the MASVS (Mobile Application Security Verification Standard).
In other words, the Mobisec team took on the role of a hacker who, in the preliminary phase before an attack, aims to get a quick and general view of the potential access points to a mobile application in order to identify the perfect target. Among the elements tested were data encryption protection, the updating of libraries and security certificates, and the consistency between the service offered by the app and the permissions it requests (such as access to contacts or the camera).
HEALTHCARE
Regarding the healthcare sector, the analysis focused on apps for appointment booking and access to diagnostic test results from various regions in Italy. In this case, 27.7% of the tests conducted ended in failure. The main issue for the Android versions (all of which failed this test) was the verification of digital signature certificates, a problem that could allow the insertion of malicious software. On the other hand, 50% of the iOS applications showed the possibility of inserting fake data into security certificates, which are used for automatic system checks.
GDO
The Android apps in the GDO sector (apps from several large retail chains, both food and non-food) failed 54% of the tests. Specifically, all of them had the keyboard cache enabled, meaning they automatically filled in text fields containing potentially sensitive information (such as usernames and passwords, but also tax codes—information that, if malware were present on the smartphone, could be easily stolen). On the iOS side, the main issue affecting 75% of the tested apps was the mismatch between the security certificates on the app and those on the servers.
FINANCE
There are two main issues with Italian banking apps: data encryption and the consistency between the services offered and the permissions requested. 67% of the apps tested, both on iOS and Android, did not pass these tests.
ENERGY
One of the most prominent issues found in energy sector applications is the use of third-party libraries,pieces of code written by other developers. While this solution saves time, it exposes the app to the risk that the code may be malicious and provide an entry point for attackers. 86% of the apps in this sector, both on iOS and Android, rely on outdated and insecure versions of these third-party libraries.
TELCO
80% of the apps from telecommunications companies failed the test that checks the consistency between the security certificates on the app and those installed on the server. This situation can expose the app to sniffing attacks, where an attacker intercepts the communication between the app and the server or server spoofing attacks, where the attacker impersonates a server and steals the data sent by the app.
«The elements we tested represent potential weaknesses that a malicious hacker could try to exploit to gain access to data, both that stored on individual smartphones and on servers», emphasizes Riccardo Poffo, Chief Technical Officer of Mobisec. «Both Apple and Google invest heavily in the security of their operating systems, as do the developers who create the hundreds of libraries that populate software. However, daily patches are released to fix security issues, but they are not applied with the necessary frequency by those maintaining the apps»,he continues, «This is a cultural problem imposed by the market and modern software development practices, with developers facing tight deadlines and focusing too much on continuous releases, without allocating the time required to apply these crucial security updates that are essential to prevent cyber incidents. That’s why a service like Mobisec DSA (Dynamic Security Analysis), which enables continuous and regular security checks on apps, helps promptly identify potential security vulnerabilities and take action to fix them».
December 18, 2024
Mobisec Joins App Defense Alliance and OWASP It is the only Italian company invited to draft the rules of mobile cybersecurity.
December 18, 2024
From Healthcare to GDO, including Finance, Energy, and Telco: There are no 100% Secure Apps Results of an analysis by Mobisec’s ethical hackers.