Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Report: Scripting languages most vulnerable, mobile apps need better crypto

Maria Korolov | Dec. 4, 2015
According to an analysis of over 200,000 applications, PHP is the language with the most vulnerabilities, and mobile apps suffer from cryptography problems.

"If you're building one of those apps, you'll need to educate your developers on doing crypto effectively," said Wysopal.

In particular, 67 percent of mobile applications had insufficient entropy in their cryptographic algorithms, 50 percent had improper validation of certificates, 41 percent stored sensitive information in clear text, and 40 percent used broken or risky cryptographic algorithms.

"A little bit of developer education on these top four things can make a big difference," he said. "A lot of mobile app developers will say, 'Of course we're encrypting the data in transit.' But a lot of times they're not doing it correctly so it can be easily broken. Writing encryption code is not enough, you have to test it and make sure it's done properly."

In other areas, however, Android and iOS apps had significant differences in areas of vulnerability.

For example, 90 percent of Android apps had problems with code quality -- programming errors not directly linked to any of the top vulnerabilities, but which could still cause logic problems or security holes. But only 14 percent of iOS apps had code quality issues.

Meanwhile, 79 percent of Android apps were vulnerable to CRLF Injection attacks, where attackers insert extra carriage return and line feed characters into data. But CRLF Injections attacks didn't even make the top ten list for iOS vulnerabilities.

Similarly, 84 percent of iOS apps had problems with error handling, but this issue didn't make the top ten list for Android vulnerabilities.

Wysopal suggested that developers use the data in this report so that they know when to pay extra attention to security.

Static and dynamic analysis

There are two basic ways that developers can use automation to find errors in their applications, said Wysopal.

Static analysis simply reads the code and looks for common mistakes.

Dynamic analysis looks at the way that applications actually behave.

"We've heard that developers like dynamic analysis because it's a real, true vulnerability," said Wysopal. "With a static vulnerability, you don't know whether it could actually be exploited in the real world."

However, he said, he was surprised to find out that developers are 28 percent more likely to fix a vulnerability found via static analysis than dynamic analysis.

"I think the reason is that static analysis points to the line of code where the error is," he said. "Dynamic analysis doesn't do that."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.