Appicaptor Security Index 2017

The use of apps in enterprises requires a critical consideration of the included risks in order to be able to effectively counteract the threats through an analysis and approval mechanism. Today, we have published results of automated Appicaptor analyses for the top 2,000 free iOS and Android apps.

Chart of blacklisted apps per category, Appicaptor Security Index 2017
Blacklisted apps per category. The bars for each exemplary selected function class show the respective proportion of the three risk classes. Appicaptor Security Index, September 2017

When assessing the fitness for corporate use, it is not very surprising that apps for the processing of corporate data are quite critical. In particular, the functional class of the File Manager apps shows a significant risk of usage with 76% iOS apps classified as unsuitable for corporate use (see figure). This is even higher with Android at 88%. The reasons for the blacklisting of both platforms are a very high ratio of IT security weaknesses and privacy relevant risks (see report for further analysis details).

The report also shows new insights about security characteristics of hybrid apps, which affect resources such as the phone book, calendar, clipboard, position data and even access to local data storage in the sandbox of the vulnerable app. For the ratio of analyzed Cordova iOS apps, 81.6% (Android 80.3%) currently have the precondition for manipulating the app via web content to attack the JavaScript bridge to smartphone resources.

AFNetworking and Cordova usage statistics
Even 14 months after the release of a serious vulnerability in the AFNetworking library for iOS, 20% of the free top 2,000 apps containing AFNetworking use vulnerable versions. After 30 months, 12% of the AFNetworking versions used are still vulnerable. In hybrid apps, vulnerable Cordova versions are also being used. (Appicaptor, September 2017)

The effects vary greatly depending on the smartphone resources used and the data processed. However, the ability to include these factors in a code analysis automatically allows for a more accurate risk assessment, so that only those apps that pose a specific risk are excluded from use in the company.

Other risks for Cordova apps are also the use of known vulnerable Cordova versions, which are used by 23.5% of iOS and 7.2% of Android Cordova apps. This makes it possible for attackers, e.g. under Android in Cordova versions prior to 3.5.1 to launch the Cordova app with other HTML page content via a link in order to misuse the available plug-ins with access to critical resources for their purposes.

But also the ratio of known vulnerable JavaScript libraries in Cordova Apps is a major problem with 36.7% (Android 38.3%). For example, using the vulnerable Angular. js version 1.4.4 allows attackers to break out of a secure ng-bind-html environment by manipulating user input. This environment normally allows only HTML formatting to be used, calls of JavaScript or other active content are prevented. The known weakness of this version allows attackers to bypass the protection mechanism, which again allows all available permissions of the app to be abused by an attacker.

Download the complete Appicaptor Security Index 2017.

Visit us on it-sa 2017

We present details about our Appicaptor service and specific security findings based on corresponding app security research at the IT Security Expo it-sa 2017 (10 to 12 October 2017 in Nuremberg, Germany). Visit our booth in Hall 9 / 9-410 to get a live tour on how Appicaptor provides you with everything you need to make informed decisions in app approval processes and see insightful live demos of attacks on hybrid apps.

In the absence of security quality, attackers can easily modify the functionality of hybrid apps, generated using HTML, JavaScript, CSS and native plugins for access to smartphone resources. Appicaptor already detects related attack entry points such as unprotected communication, insecure SSL certificate validation or vulnerable third party libraries and correlates the inferred app model with the app’s permissions to draw Appicaptor customer’s attention to the resulting risks.

We demonstrate this attack by showing how trustworthy but flawed hybrid apps can be modified on the fly to generate wiretapping devices, just by injecting new functionality that unnoticeable records the smartphone’s ambient audio to an attacker’s cloud storage. According to our published analysis results that will be published for it-sa 2017, hybrid apps for iOS and Android are packed with flaws that allow attackers to do this by using malicious WiFi-hotpots or crafting special user input.

Make an appointment for a live demo and get a free voucher code for it-sa 2017.