89% of mobile applications contain critical vulnerabilities
Cybersecurity experts discovered almost 30 thousand vulnerabilities in mobile applications popular in Russia, while the number of critical threats over the year increased four times. The developers continue, for example, to store passwords in open form and ignore the basic rules of data protection.
“Kommersant” got acquainted with the results of the annual research of the safety of mobile applications by Appsec Solutions. More than 1.6 thousand applications were included in the sample, many of them are included in the top 100 to download users in 18 thematic categories on the Android platform. As the authors of the study found out, 88.6% of the applications contain the vulnerabilities of the “critical” or “high” level, which indicates the growing danger of hacker attacks on mobile applications.
Moreover, if in 2023 the Appsec Solutions experts revealed 41.5 thousand vulnerabilities, then in 2024 it was slightly less than 30 thousand. However, the level of danger, on the contrary, increased: the number of critical vulnerabilities in 2024 was 83 versus 22 in 2023 (see infographics).
The leaders in the total number of problems identified in 2024 were applications in the “Medical Services” category, but most of them are not critical.
In second place-“Digital Services”, which includes applications of telecom operators, postal services, platforms for webinars, conferences services. “Due to the motility in this category, there are many applications, where the developers reacted quite coolly to security, leaving a lot of shortcomings,” the Appsec Solutions noted. Critical vulnerabilities are most often found in banking applications.
As the main sources of errors in the development of mobile applications, IB specialists note primarily memory leaks and data conversion errors. Architectural and logistics errors (errors in algorithms) are also popular. Aleksey Rybalko Laboratory Experts on the Protection of Container Development of Kaspersky Laboratory notes that not all mistakes lead to vulnerabilities, but the more errors in the software, the higher the likelihood that some of them will become critical.
Vulnerabilities can lead to a violation of the confidentiality, integrity, accessibility of the service, says Evgeny Yanov, head of the Audit and Consulting Department of Audit and Consulting. Including vulnerabilities that are not eliminated on time, can lead to unauthorized access to confidential information, the use of the application for attacks on users, and the loss of their money. “Despite the seriousness of the consequences that companies regularly face, the developers continue to store sensitive data, such as passwords and identifiers, in open form,” says Appsec Solutions.
Over the year, the number of vulnerabilities in mobile applications may decrease, however, the risks associated with the protection of the code from reverse engineering are growing stably, add to the Positive Technologies, citing the OWASP (Open Web Application Security Project).
Reverse engineering is a mandatory stage of any attack on a mobile application.
Of the latest high-profile cases, experts indicate an incident with Zero-Click vulnerability (implemented without interaction with the user) in WhatsApp. If you add attacks on users using malicious clones, modifying applications with disabled advertising or pirate versions of paid applications, “we will still see only the peak of the iceberg,” added the head of PT MAZE in Positive Technology Nikolai Anisnya.
