Just like consumers are focusing more on mobile gadgets with each passing year, so are hackers. After all, your smartphone or tablet potentially contains browsing history, banking information, location history, text messages, photos and plenty more hackers can use to steal your identity and money.
Plus, from the hacker's perspective, mobile gadget security isn't quite as advanced as computer security. While gadgets' built-in mobile security continues to improve, a lot of relies on keeping malicious apps out of the various app stores. Unfortunately, that doesn't always work so well.
Hackers still do slip malicious apps into legitimate app stores. Plus, on Android, which can install apps from any source, there are plenty of third-party app stores just teeming with malicious apps. Hackers can even trick you into installing a malicious app from a text message. Learn how to avoid this attack.
In addition to malicious apps, there are a lot of legitimate apps out there that have flaws hackers can exploit. Because apps are so easy to make, a lot of app developers don't have a background in security and don't even think about it. Or they use code libraries that have flaws already in them. That's what happened with the Android Stagefright flaw and its siblings.
So it isn't a surprise that in its Cyber Risk Report for 2016, Hewlett Packard Enterprise found that 75% of the mobile apps it scanned contained a "critical or high-severity" vulnerability. Now, that doesn't automatically mean 75% of apps out there are malicious or you should uninstall three-quarters of the apps on your phone.
In fact, HPE doesn't say if it only scanned apps from official app stores, or included third-party app stores as well. If it was the latter, then many of the apps it scanned probably aren't even in the official apps stores.
Either way, before that 75% number makes you panic, it helps to know what HPE means when it says "critical or high-severity vulnerability."
The most common mobile app flaws HPE found relate to internal worries, such as unencrypted storage (75%), the inability to tell the gadget is jailbroken or rooted (72%), misused push notifications (65%), location tracking (54%) and so forth. While those aren't great, they also aren't going to give a hacker much to work with except in very specific situations, so HPE doesn't rate them as critical.
The biggest "critical-severity vulnerability" HPE found showed up in 30% of the apps, and it's "Insecure Transport." That means the app's Internet communication isn't encrypted or uses old or weak encryption, like old versions of OpenSSL (this was the flaw behind Heartbleed in 2014).
That could potentially let a hacker snoop on the data the app is sending and receiving, or insert their own malicious ads into the app. Of course, any banking app or other major app is going to have strong security, so as long as you're judicious about giving out information, or run everything through an encrypted VPN connection, your risk isn't too high.
The second most common critical flaws is "Privacy Violation" (29%), which is apps reading too much information. You can lock this down by knowing about app permissions. Other critical flaws are apps gathering or holding on to information they shouldn't have, not having encrypted storage, or having a "Weak Password Policy." That last one you can avoid by always creating strong passwords no matter what.
A lot of these critical vulnerabilities also show up in regular computer programs, just not in the same amounts (34% to 75% for mobile apps, according to HPE). HPE hypothesizes that it's because so many app developers are new to programming they're making rookie mistakes.
Regardless of the reason, your apps probably aren't as flawless as they should be, and it's a good reminder that computer programs aren't perfect either. That's why it pays to have another line of defense.