75% of India’s top 100 Android apps are vulnerable: Study

Appknox, a mobile security testing platform has recently conducted security research that revealed that more than 75% of the top 100 Indian Android apps contained critical security risks, which puts the sensitive customer and business data at risk. According to the report, titled, Evidence-based Insights – India’s Top 100 Android Mobile Apps tested for Cybersecurity, over 78% of the Top 100 Indian Android apps had a CVSS score greater than 10 - implying a very high vulnerability to critical cybersecurity risks.

“Most of these apps had severe network security risks, compromised SSL pinning, and exposed data on shared preferences”, says the study.

According to research by the Data Security Council of India (DSCI), India's cyber security industry nearly quadrupled during the pandemic, with revenues from cyber security goods and services rising from $5.04 billion in 2019 to $9.85 billion in 2021. Rapid digitalization, more regulatory attention on data and privacy, and growing boardroom understanding of cyber dangers, among other factors, all contributed to the surge. Given the buzz and awareness for cybersecurity, it becomes essential to perform reality checks and analyse where the Indian Android App market stars stand in terms of cybersecurity performance. 

This research consists of mobile applications based on Android and available for use in the India region of the Google Play Store. Only Android applications were chosen to maintain consistency in comparison and analysis.

Appknox put all the 100 applications through a rigorous automated testing process using Appknox, our mobile app security solution. As a part of this security testing process, each application went through 14 different test cases. According to security standards accepted globally, all these tests are the basic security checks that each mobile application should ideally go through. These checks help determine essential parameters like how data is being stored by the app, how much is shared and accessible, are payments secure, is there a possible loophole that can lead to data leakages, and more.

What were the Most Prominent Vulnerabilities Detected in these Apps?

The research found that some of the most prominent Indian apps lag on even the most basic security checks. Some of the critical vulnerabilities detected in these apps included:

• 79% of the apps were affected by network security misconfiguration: Organisations should keep the minimum information necessary. If eBay wouldn’t have stored unnecessary information like dates of birth and addresses, the risk of identity theft after the attack would have reduced massively.

• 79% of the apps had disabled SSL CA validation and certificate pinning:  Certificate Pinning is the process of associating a host with their expected X509 certificate or public key. When a certificate or public key is seen on a host, it is associated or "pinned" to that host. Suppose more than one certificate or public key is acceptable. In this case, the advertised identity must match one of the elements in the pinset.

• 78% of the Apps lacked sufficient code obfuscation: Java source code is typically compiled into Java bytecode – the instruction set of the Java virtual machine. The compiled Java bytecode can be easily reverse-engineered back into source code by freely available decompilers. Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Insufficient obfuscation might lead to threat actors decompiling or reverse-engineering the code.

• 42% of the Apps had Insufficient Transport Layer Protection: Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server. Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server.

Some mobile app security best practices to mitigate these risks:

Mobile applications must be created in a manner to run in a hostile environment prone to frequent attacks. And given the widespread vulnerabilities detected in Indian Android apps, it's high time businesses adopt these mobile app security best practices.

Do not hardcode credentials: It has frequently been seen that available credentials are put to hardcore by mobile app developers. Also, rather than waiting for users to authenticate credentials for applications, here credentials and services used by the applications are put to authentication.

Reduce app permissions: Permissions empower apps, but this also creates many risks. Unnecessary permissions, even in a legitimate app, can result in causing privacy and compliance hazards and become a target for attackers.

Certificate pinning should be used wherever possible:  Mobile applications get connected from unsecured networks rather than from protected web applications most of the time. This is certainly because these apps are always used on the go. One of the best techniques to counter attacks such as man-in-the-middle attacks that can occur over these networks are through certificate pinning.

Switch to automated mobile application security testing: Enterprises should conduct regular security testing on the application to prevent vulnerabilities present in the application and ensure best coding practices that are secure as well.

Maintain compliance with standards and regulations: Ensure your app complies with the leading industry standards like OWASP (Open Web Application Security Project), PCI DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), and ISO:27001. This would enhance the security readiness of your app and strengthen the trust among your customers.

Upgrade to DevSecOps: DevSecOps lets you address security issues right from the get-go with little to no effort in addressing every security issue that causes potential risks. This could also be your business's potential competitive advantage for faster time to market and uninterrupted business activities.