Posted by Bangalore: 75% of India’s top 100 Android apps have contained security risks revealed in the latest report from Appknox – a mobile app security testing platform.
The report titled, “Evidence-based Insights – India’s top 100 Android Mobile Apps tested for Cybersecurity,” claimed that these apps have access to so much sensitive data.
According to research by the Data Security Council of India (DSCI), India’s cyber security industry nearly quadrupled during the pandemic, with revenues from cyber security goods and services rising from $5.04 billion in 2019 to $9.85 billion in 2021.
Rapid digitalization, more regulatory attention on data and privacy, and growing boardroom understanding of cyber dangers, among other factors, all contributed to the surge. This makes it crucial to perform reality checks and analyse where the Indian Android App market stars stand in terms of cybersecurity performance.
In this report, Appknox presents the mobile security assessment report of the Top 100 android mobile apps. Here’s why the company chose 100 Indian Apps:
India is now the #1 country globally regarding the number of apps installed and usage per month. With one of the largest user bases and the volume of critical data at risk, it becomes essential to assess the security performance of some of the most popular and trusted Indian apps.
Appknox put all the 100 applications through a rigorous automated testing process using its mobile app security solution. As a part of this security testing process, each application went through 14 different test cases.
According to security standards accepted globally, all these tests are the basic security checks that each mobile application should ideally go through. These checks help to determine essential parameters like how data is stored by the app, how much is shared and accessible, are payments secure, is there a possible loophole that can lead to data leakages, and more.
“Be it the early birds or the giant Fortune 500 companies, Appknox has ever been instrumental in building a safe and secure mobile ecosystem for businesses all over the globe by utilizing its system plus human approach to beat the hackers at their own game. We put together this report so that app developers realize the importance of creating apps with no vulnerabilities,” said Harshit Agarwal, CEO of Appknox.
What were the most prominent vulnerabilities detected and why do 75% of India’s top 100 Android apps have security risks?
The research found that some of the most prominent Indian apps lag on even the most basic security checks. Some of the critical vulnerabilities detected in these apps included:
79% of the Apps were affected by Network Security Misconfiguration: Organisations should keep the minimum information necessary. If eBay wouldn’t store unnecessary information like dates of birth and addresses, the risk of identity theft after the attack would have reduced massively.
79% of the Apps had Disabled SSL CA Validation and Certificate Pinning: Certificate Pinning is the process of associating a host with their expected X509 certificate or public key. When a certificate or public key is seen on a host, it is associated or “pinned” to that host. Suppose more than one certificate or public key is acceptable. In this case, the advertised identity must match one of the elements in the pin set.
78% of the Apps lacked sufficient code obfuscation: Java source code is typically compiled into Java bytecode – the instruction set of the Java virtual machine. The compiled Java bytecode can be easily reverse-engineered back into source code by freely available decompilers.
Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Insufficient obfuscation might lead to threat actors decompiling or reverse-engineering the code.
42% of the Apps had Insufficient Transport Layer Protection: Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server.
Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server.