Applications are the first vector of attacks on mobile. In the corporate environment, where nearly 100% of the workforce uses a mobile device for work related purpose, applications are endangering data privacy. To ensure apps don’t cause breach, it is necessary to audit them in a way that will provide enough details to draw an accurate conclusion on their security level. To do so, three main angles have to be analyzed: behaviors, network communications and code vulnerabilities. Globally, the thoroughness and accuracy of the audit is important to eliminate false positive.
First, identifying all the behaviors an application is programmed to perform, rather than only looking at the permissions it requests, provides a clear view on what its true intention is. For example, this behavioral analysis enables companies to forbid the usage of some apps that plan to exfiltrate their data, before they do it.
Secondly, when the behavioral analysis shows signs of data sent over the network, which is almost always the case, examining the safety of these communications will determine how easily they can be intercepted.
And to finish, detecting all the vulnerabilities embedded within the code of an application allows to determine whether it will resist to compromise attempts. The vulnerability list used for the detection needs to gather, at least, the biggest global mobile app vulnerability databases for the analysis to be reliable.
This report gathers the results of hundreds of mobile application security audits performed by the Pradeo Security engine. It addresses the most downloaded apps in the following activity sectors: IoT, Shopping, Airline, Bank, Gaming, Tool, Health, and features: