JJ'Studio - Fotolia
So there I was thinking about how quiet it all seemed out there in techie land, too damn quiet if you ask me, and wondering whether this was connected with the increasing number of disturbing predictions for the state of the global economy in 2016, from George Osborne’s “dangerous cocktail” of threats to RBS’ advice to clients to sell all their shares.
As you do.
And then, purely by good fortune, while I was musing on matters of financial health, an email concerning that subject arrived in my email inbox. I should hasten to add it wasn’t a notification from my bank informing me of my latest statement or an invitation from someone in Nigeria to send funds to help unlock millions stored abroad.
Instead, it was a press release trumpeting the highlights of Arxan’s 5th Annual State of Application Security Report . The main finding was that 90% of mobile health and finance apps tested by Arxan were vulnerable to at least two of the Open Web Application Security Project’s (OWASP) top 10 risks.
The report was also quick to disabuse those foolish enough to believe that approval of a mobile health app by the NHS or the US Food and Drug Administration made it more secure, finding that 80% of such apps suffered from at least two of the OWASP top 10 risks.
The report argued that the vulnerabilities in health and finance apps could have significant effects on users’ financial health and their medical well-being. A lack of binary protection, allied to insufficient transport layer protection, could “result in application code tampering, reverse-engineering, privacy violations and data theft”.
As well as losing sensitive data, users could lose their lives if a health app was “reprogrammed to deliver a lethal dose of medication” or find themselves out of pocket if a finance app was tampered with “to redirect the transfer of money” out of their accounts.
Mind you, it’s not as if users are completely unaware of the risks posed to their mobile apps, it’s just that they don’t appreciate they already exist. The report found 48% of them fully expected their mobile health and finance apps to be hacked, just not today. Instead (and optimistically, given the findings of the report), they predicted their apps would be hacked within six months which, when you think about it, is hardly a resounding vote of confidence in the security of mobile apps.
The report contains some useful suggestions for users and businesses. Users are advised to only get apps from authorised app stores, warned not to use jailbroken devices and urged to demand more transparency about the mobile apps they use.
For their part, businesses should align their spending with security risks by concentrating more on the application layer, ensure apps have binary protection and transport layer protection and set their security bar above regulatory bodies because they lag behind cyber criminals.
“Apps ‘approved’ by trusted sources such as regulatory/governing bodies like the US FDA or the UK NHS are no more secure than unapproved apps,” the report warns.
Many years before mobile apps existed, Virgil linked the two two -ealths when he wrote: “The greatest wealth is health.” More recently, we have linked the two -ealths in other ways, such as when we talk about “healthy finances” or “financial health”. It’s apposite then that poor security on mobile apps could prove a threat to both.
As for channel partners, by taking note of Arxan’s recommendations they can do their bit to help clients ensure the mobile apps they choose don’t damage either of their -ealths.
As for the rest of us…