KLIKA RESEARCHES THE SECURITY OF MOBILE APPLICATIONS IN BOSNIA AND HERZEGOVINA – THE RESULTS ARE NOT IMPRESSIVE
14 Aug 2020
The trend of using mobile applications on the market of Bosnia and Herzegovina is constantly increasing. According to the data of the Agency for Statistics of Bosnia and Herzegovina, presented within the report "Telecommunication Equipment, Networks and Services, BiH, 2017.", there were more mobile devices then residents in the country. In addition, the number of internet mobile users is increasing day by day, and according to the report from 2017, there were 1.5 million users of mobile internet in the country.
In the past few months, the Klika Security Sense team, which works with application security, has conducted research on the current state of the mobile applications market intended for users in Bosnia and Herzegovina and created by regional companies. This research included about 100 mobile applications from several categories: Finances, Food, Government Organizations, Media, News, Online Shopping, Sports, and Transportation.
The results have shown that most applications do not meet the basic safety standards - the average score was 40 out of 100 points, and the CVVS score was 5,4. Note that applications that do not have any security vulnerabilities score 100 points, while each vulnerability depending on its severity reduces this number by certain points. CVVS is a standard rating that describes the security vulnerabilities, whereas the score 5,4 belongs to the middle-risk category. Especially poor results were shown by applications from the Financial sector. If we consider only native mobile applications, the Financial sector scores 24 out of 100.
What is the underlying problem with the applications we have analyzed?
During the analysis, we noticed that most applications have at least some security vulnerabilities, and the most common were the following:
• Leaking of sensitive information - Applications often leave the so-called PII data (Personal Identifiable Information) and even user passwords in their log files.
• Susceptibility to phishing attacks - Ability to present other applications/systems as genuine, thus accessing data that should be protected.
• Man in the Middle Attack - With this type of attack, simple network proxies can access data that an application sends and / or receives over a network (even if it uses the https security protocol).
• Mobile malware - The ability for other applications to access or interact with the original application without the user's knowledge.
• Financial fraud - Misuse of some applications as a starting point for social engineering to obtain financial benefits.
• Repackaging and cloning applications - Applications can be decompiled, modified (add new behavior), and published to non-standard app stores.
• Insufficient data encryption - Modern applications often store data in some form of the local database, and very often such data is without protection or poorly protected.
The results have also shown that the Financial sector is the most common target of cybercriminals. In the past 12 months, we have witnessed an increase in attacks on the banking sector in Bosnia and Herzegovina, where attacks ranged from DDoS attacks and card theft to highly sophisticated attacks on ATM networks.
Mobile applications are one of the channels of attack. The dimension of attacks that can occur when malicious actors have physical access to the device is often overlooked. This has always been present in considering system security, but in practice, it was much harder to do (steal a desktop computer, laptop, server) as opposed to a cell phone which is much easier to steal.
Misuse of mobile applications is not possible only when you have physical access to the device, but also as a remote target. For example, Promon recently found the possibility to present any application as another and thus pic up user input (StrandHogg 2.0).
How to protect yourself?
There are steps that can be done by end-users as soon as today:
• Use two-factor authentication.
• Always check the correctness of the URL when opening links and emails.
• Avoid insecure WiFi networks.
• When installing applications, use only the official app stores
In case you are developing mobile applications, we advise you to periodically perform Penetration Testing. The level of security testing is defined depending on who the application users are and what data the application uses. For example for an application that displays news, a basic level of testing is sufficient, while high level of testing is required for applications dealing with finance or health data.
If it turns out that your apps aren’t secure enough, you’re not the only one, because according to Gartner, 75% of mobile apps would fail the basic security test. However, there is a way to make your applications more secure - Klika Security Sense. Klika offers you first-class vulnerability testing services for native and hybrid applications. Our security analysts are at your disposal to discuss test findings and help you create a security strategy. In addition, we offer full development support, we can recommend tools to you, and help you avoid all security risks.