Application Security

75% Of India’s Top 100 Android Apps Have Contained Security Risks: Appknox Report 2022

75% Of India’s Top 100 Android Apps Have Contained Security Risks: Appknox Report 2022
Written by ga_dahmani
75% Of India’s Top 100 Android Apps Have Contained Security Risks: Appknox Report 2022

Bengaluru, June 28the2022: Appknox, a leading mobile security testing platform has published a report today, titled, “Evidence-Based Insights: India’s Top 100 Tested Android Mobile Apps for Cybersecurity”. In recent years, our dependency on apps has increased tremendously. These apps have access to so much sensitive data that Appknox helps businesses and customers understand the security risk.

According to research by the Data Security Council of India (DSCI), India’s cybersecurity industry nearly quadrupled during the pandemic, with revenue from cybersecurity goods and services rising from $5.04 billion in 2019 to $9.85 billion in 2021. Rapid digitization, more regulatory attention on data and privacy, and growing boardroom understanding of cyber dangers, among other factors, contributed to the increase. Given the hype and awareness around cybersecurity, it becomes essential to conduct reality checks and analyze where the stars of the Indian Android app market stand in terms of cybersecurity performance.

In this reportAppknox presents the Top 100 Android Mobile App Mobile Security Assessment Report. Here are the reasons why the company chose 100 Indian Apps:

India is now the first country globally for the number of apps installed and usage per month (Source: Forbes). With one of the largest user bases and the volume of critical data at risk, it becomes essential to assess the security performance of some of the most popular and trusted Indian applications.

Appknox put all 100 apps through a rigorous automated testing process using Appknox, our mobile app security solution. As part of this security testing process, each application went through 14 different test cases. According to globally accepted security standards, all of these tests are the basic security checks that every mobile app should ideally go through. These checks help determine essential parameters such as how the app stores data, how much data is shared and accessible, whether payments are secure, whether there is a potential loophole that could lead to data leaks, and more.

Harshit Agarwal, CEO of Appknox said, Whether it’s early risers or giant Fortune 500 companies, Appknox has always been instrumental in building a secure mobile ecosystem for businesses around the world by using their system plus human approach to beat hackers in their own game. We put together this report to make application developers aware of the importance of creating applications without vulnerabilities.”

What were the most prominent vulnerabilities detected in these applications?

The research found that some of the most prominent Indian apps lag behind even the most basic security checks. Some of the critical vulnerabilities detected in these applications included:

  1. 79% of apps were affected by network security misconfiguration: Organizations must maintain the minimum necessary information. IfeBay would not have stored unnecessary information such as dates of birth and addresses, the risk of identity theft after the attack would have been greatly reduced.
  1. 79% of applications had CA SSL validation and certificate pinning disabled: Certificate pinning is the process of associating a host with its expected X509 certificate or public key. When a certificate or public key looks at a host, is associated or “pinned” to that host. Suppose more than one certificate or public key is accepted. In this case, the announced identity must match one of the items in the pin set.
  1. 78% of applications lacked sufficient code obfuscation: Java source code is usually compiled into Java bytecode, the Java virtual machine instruction set. Compiled Java bytecode can be easily converted back to source code using freely available decompilers. Bytecode obfuscation is the process of modifying Java bytecode (executable or library) to make it much harder for a hacker to read and understand, but still fully functional. Insufficient obfuscation could lead threat actors to decompile or reverse engineer the code.
  1. 42% of applications had insufficient transport layer protection: Insufficient transport layer protection issues occur when data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted over the carrier’s network or WiFi, it will end up over the Internet before it can reach the remote server. Insufficient transport layer protection issues occur when data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted over the carrier’s network or WiFi, it will end up over the Internet before it can reach the remote server.

Some mobile app security best practices to mitigate these risks:

Mobile apps must be built to run in a harsh environment prone to frequent attacks. And given the widespread vulnerabilities found in Indian Android apps, it’s about time businesses adopted these mobile app security best practices.

Do not encode credentials: It has often been seen that available credentials become

to hardcore by mobile application developers. Also, instead of waiting for users to authenticate application credentials, credentials and services used by applications are authenticated here.

Reduce app permissions: Permissions empower apps, but this also creates a lot of risk. Unnecessary permissions, even on a legitimate app, can be in causing privacy and compliance risks and becoming a target of the attackers.

Certificate pinning should be used whenever possible: Mobile apps connect from unsecured networks instead of protected web applications most of the time. This is certainly because these apps are always used on the go. One of the best techniques to counter attacks like

Man-in-the-middle attacks that can occur on these networks are done through certificate pinning.

Switch to automated mobile app security testing: Companies must carry out periodic security tests on the application to prevent vulnerabilities present in the application and ensure best coding practices that are also secure.

Maintain compliance with rules and regulations: Make sure your application complies with major industry standards such as OWASP (Open Web Application Security Project), PCI DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), and ISO: 27001. This would be improve the security readiness of your application and strengthen the trust among your customers.

Upgrade to DevSecOps: DevSecOps allows you to address security issues directly from the get up and running with little or no effort to address every security issue that creates potential risks. This could also be your company.

Potential competitive advantage for faster time to market and uninterrupted business.

Appknox offers one of the most advanced plug-and-play security solutions integrated with astute vulnerability assessment and penetration testing tools that help security experts and developers build the most secure mobile apps. Appknox SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and APIT (Application Program Interface Testing) is the best way to ensure your code is secure. VA (Vulnerability Assessment) tools identify and eliminate security vulnerabilities and software defects in the early stages of development. That helps ensure your software is safe, reliable, and compliant.

Appknox VA helps you:

  • Identify and analyze security risks and prioritize severity based on CVSS (Common Vulnerability Scoring System) reports
  • Perform fast real-time and API to drill down into vulnerabilities
  • Meet standard compliance requirements
  • Verify and validate through testing
  • Achieve compliance and certification faster

Commercial

Commercial

About the author

ga_dahmani

Leave a Comment