Application Security Struggles With Bug Bounties and Mobile Back Ends

By: Jeff Bertolucci| - Leave a comment


Mobile application security is facing a barrage of challenges: Bug bounty fatigue continues unabated, mobile back ends are the Achilles heel of enterprise IT, and the web interfaces of Internet of Things (IoT) devices have major security flaws.

These are just a few of the key issues highlighted in a new report from High-Tech Bridge. Released at the Infosecurity Europe 2017 conference in London, the study explores app security trends for the first two quarters of 2017. As reported by Help Net Security, statistical data referenced in the study comes mostly from the ImmuniWeb application security testing platform, High-Tech Bridge’s web security services and various open data sources.

Bounty Hunters Aren’t Hunting

Bug bounty efforts aren’t delivering much return on investment anymore, according to the High-Tech Bridge report. Nine of 10 web applications in a public or private bug bounty program — specifically, those running a year or longer — contained at least two high-risk vulnerabilities that security testers missed, the study found.

Much of the problem stems from how bug bounty programs are set up. Security researchers are paid by result — and only if they announce a vulnerability before someone else. As a result, they tend to focus their efforts on new bounty programs, finding easy-to-spot weaknesses and ignoring harder-to-detect issues.

That’s changing, though, as security researchers are foregoing bug bounty programs and instead seeking full-time jobs and a steady paycheck in the industry.

“Google’s Project Zero Prize, ending without a single valid submission, is a good example that no researchers are motivated to spend endless nights on complicated vulnerabilities and exploitation techniques, without a solid assurance of payment,” Help Net Security notes.

Mobile Back Ends Are Trouble

An eyebrow-raising 83 percent of mobile apps within the banking, financial and retail sectors have a mobile back end that’s vulnerable to at least one major security threat, the report found. The most common issue is insufficient-authorization vulnerabilities, in which an app doesn’t perform adequate checks to ensure the user is accessing data or performing a function that complies with the security policy.

But there’s also good news on the app front: The security risks of mobile apps are greatly exaggerated. The study found 95 percent of vulnerabilities in mobile application code aren’t easy to exploit and therefore don’t pose a significant risk.

The most popular mobile app flaw at least in the banking, financial and retail sectors is clear-text storage of sensitive or authentication data on a mobile device. Because the information is stored in an unsecured form, cybercriminals could potentially read it. And even if the information is encrypted, certain techniques could determine the type of encryption

used and decode the data.

IoT Security: Still Weak

Security experts continue to sound the alarm on IoT ecosystems, warning that many IoT devices use widely known default credentials and weak authentication protocols. IT leaders won’t sleep any easier after reading the High-Tech Bridge report, which found 98 percent of web interfaces and administrative panels of various IoT devices have fundamental security problems, Help Net Security reports.

These flaws include hard-coded and unmodifiable admin credentials, lack of HTTP traffic encryption, outdated software that can’t be updated out of the box and critical interface vulnerabilities.

In short, IoT device manufacturers need to step up their game: They still haven’t grasped that the security of their products is in many ways even more important than its manufacturing quality, Help Net Security notes.

Topics: , , , ,


About The Author

Jeff Bertolucci

News Writer

Jeff Bertolucci is a Los Angeles-based journalist specializing in technology, digital media, and education. His work has appeared in Kiplinger's Personal Finance, InformationWeek, PCWorld, Macworld, The Saturday Evening Post, The Los Angeles Times and many other publications.