Five Mobile App Vulns That Should Scare You

While some organizations and executives may not be fully aware of all the threats to their mobile applications, the risks are real and growing. Vulnerabilities arise from code flaws, encryption errors, unsecured data transmission or data exposure. Attackers are ready to exploit these vulnerabilities to steal data, money and trade secrets and undermine your brand.

Reflecting on some recent high-profile mobile application security breaches helps drive home the dangers of not properly securing your mobile apps. With that in mind, we present a round-up of the top five mobile breaches that have occurred over the past year.

The Curious Case of False Positives in Application Security

Over the past year, data breaches, through web, business, and mobile application exploitation, have continued to run rampant. In 2018, major household names like Ticketmaster, the United States Postal Service (USPS), Air Canada, and British Airways were hit by application-based exploits. To minimize vulnerabilities — and identify existing ones before they can do this level of damage — application security solutions need to be fast, provide good coverage for capturing all classes of vulnerabilities, and more importantly, they need to be highly accurate, to be useful to DevOps application development teams. Providing results fast but less accurately is counter-productive to an efficient and successful application security program. Time wasted by engineers to triage the false positives far outweighs the speedier results provided.

Most automated application security testing solutions have the ability to scan thousands of applications containing millions of lines of code and can produce results containing millions of attack vectors. But every application is different — different functionality, different code, different size, and different complexity —resulting in significantly different security findings with different accuracy. More so, selecting any single scanned application with the best accuracy from many and claiming accuracy is misleading. Even taking averages would be misleading, because it would be a measure of only the limited set of applications that the vendor’s solution scanned, and hence, incomparable to the accuracy of other solutions.