Global web security company High-Tech Bridge has announced today its online service Mobile X-Ray, that tests mobile application security and privacy.
Providing a user-friendly report with remediation guidance, the service performs dynamic (DAST), static (SAST) and behavioural analysis of native and hybrid iOS and Android apps, promptly detecting the wide spectrum of most common weakness and vulnerabilities, including OWASP mobile top ten.
Mobile backend:
- 88% of API and web services used in the mobile backend contain exploitable vulnerabilities allowing access to sensitive or even confidential data
- 69% of API and web services used in the mobile backend do not have sufficient anti-automation mechanisms or protections (e.g. WAF) against common web attacks
Android applications:
- At least one OWASP mobile top ten vulnerability was found in 97% of applications
- Over 78% of applications have at least one high and two medium risk vulnerabilities
- Over 63% of applications have no or weak encryption when sending or receiving sensitive data
- Every second application contains hardcoded encryption keys, credentials or other sensitive data
- Over 56% of applications use exceeding or undocumented entitlements, thus endangering privacy
- Less than 5% of applications use anti-debugging mechanisms to impede reverse-engineering
- Less than 30% of applications follow secure-coding best practices and guidelines
iOS applications:
- At least one OWASP mobile top ten vulnerability can be found in 85% of applications
- Over 69% of applications have at least one high and two medium risk vulnerabilities
- Over 50% of applications have no or weak encryption when sending or receiving sensitive data
- Every second application contains hardcoded encryption keys, credentials or other sensitive data
- Over 40% of applications use exceeding or undocumented entitlements, thus endangering privacy
- Less than 9% of applications use anti-debugging mechanisms to impede reverse-engineering
- Less than 20% of applications follow secure-coding best practices and guidelines
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “Mobile applications have become an inseparable part of everyday business and private life. In light of skyrocketing data breaches, many different research reports urge to enhance mobile application security and privacy.
“Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. At High-Tech Bridge, we are excited to fulfil this gap and offer a unique online service for the benefit of the cybersecurity community and independent developers.
“We should however, keep in mind that the most dangerous and detrimental vulnerabilities mainly lay in the mobile backend that can be reliably detected using ImmuniWeb Mobile. It also provides advanced manual testing of business logic and identify other complicated flaws undetectable in full automation.”
Written from press release by Leah Alger