iOS apps more vulnerable than Android

Applications written for iOS devices have more vulnerabilities than those written for Androids, and this has the potential for security problems in the future as attackers move to application-based threat vectors.

According to a new report from mobile application security vendors Checkmarx and AppSec Labs, the average mobile app has nine vulnerabilities.

Of the iOS vulnerabilities, 40 percent were critical or high severity, compared to 36 percent of the Android vulnerabilities, said Amit Ashbel, product marketing manager at Checkmarx.

Researchers tested hundreds of applications of all types, including banking, utilities, retail, gaming and security — and even major banking applications had vulnerabilities such as faulty authentication and data leakage.

“You would expect the financial applications to be a bit more secure, but we’re seeing that more or less they’re all the same,” Ashbel said.

The most common vulnerability, which accounted for 27 percent of all vulnerabilities found, was leakage of personal or sensitive information. Authentication and authorization problems were in second place at 23 percent, followed by configuration management at 16 percent. Other vulnerabilities included availability, cryptography weaknesses, disclosure of technical information such as application logs, and input validation handling.

Authentication and authorization vulnerabilities were also the riskiest, with 60 percent of these vulnerabilities ranked as critical or high severity.

There’s a common assumption that iOS devices are more secure than Android devices, Ashbel said.

[ ALSO ON CSO: Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone ]

For example, iOS has more restrictive controls over what developers can do, and tight application sandboxing. In addition, iOS applications are vetted before they are allowed into the Apple App Store, and removed quickly if problems are found.

Finally, Apple can easily push security updates out to all iOS users, while on the Android side the updates have to be pushed out by individual carriers or manufacturers.

This may be causing developers to put less effort into security when coding applications for that platform, he said.

That’s not so much of a problem today, since attackers aren’t — yet — focusing on application-based threat vectors.

“We can compare the mobile world to the PC world 15 years ago,” Ashbel said. “The types of attacks that were launched on PCs and desktops 15 years ago were similar to the attacks launched on iOS and Android today. They’re based on malware and viruses because that was the easiest channel.”

Today, however, 80 percent of attacks against PCs come through vulnerable applications, he said.

“The shift that happened on desktops is also possible on mobile,” he said.

For example, today, Android doesn’t have enough validation on apps uploaded to Android app stores.

As security improves in this area, attackers will look for other channels.

“We’re going to see a shift to attacks coming on the application layer,” he said. “And we’re going to see that iOS is exposed as much as or even more than Android.”