Survey: 90% of top applications for crypto have security and privacy risks
In the survey of 90 types of encrypted mobile applications available at 90%, security vulnerabilities and privacy risks were included.
Web security company Hi-Tech Bridge is a dynamic, static, interactive, web search engine for searching mobile applications for weaknesses, including the top ten mobile defects listed in the Open Web Application Security Project (OWASP) I carried out research using tests.
"Google picks out the most popular encrypted mobile applications from the" finance "category and is responsible for security flaws and design weaknesses that may pose a risk to the user, data stored on the device, Tested. The mobile device itself, "High Tech Bridge reported in a blog post on November 29.
The company divided the application into three groups of up to 300,000: the most popular applications with up to 100,000 installations, the top app with up to 500,000 installations, the top app with more than 500,000 installations.
By combining these applications, 84.6% of applications were judged to contain at least two high-risk vulnerabilities and 84.3% were detected with at least three middle-risk bugs.
Almost half of the applications (47%) were considered vulnerable to man-in-the-middle attacks, and 48% were found to contain hard-coded confidential data such as passwords and API keys. In addition, 46.6% cited functions that could endanger the privacy of users.
In addition, researchers have confirmed that 80.3 applications do not enhance or protect backend APIs and Web services, 19.3% have backends that can be exploited with POODLE vulnerabilities.
Many applications also have weaknesses of encryption. 61% sent data without encrypting via HTTP, 37% found that encryption was inadequate.
Finally it turned out that 100% of the applications do not have reliable protection against reverse engineering.
Three vulnerabilities of OWASP were found most frequently among 90 types of encryption applications. Inadequate platform usage, insecure data storage, and insufficient encryption.
"Over the years, cybersecurity companies and independent experts are concerned about the risk of" agile "development, which usually does not mean a framework that guarantees secure design, secure coding and enhancement technology, or application security testing, mobile application development We were informing the person, "CEO Ilia Kolochenko founder of the high-tech bridge. "But this is just the tip of the iceberg Mobile apps usually have fewer exploitable vulnerabilities than the backend. The weakness of mobile applications leads to infringement of mobile devices and their data and backend vulnerabilities APIs may allow an attacker to deprive the user of the integrity of the data.