The use of apps in enterprises requires a critical consideration of the risks. Fraunhofer SIT has published results of automated Appicaptor analyses for the Top 2,000 free iOS and Android apps.
Blacklisted apps per category. The bars for each exemplary selected function class show the respective proportion of the three risk classes.
Appicaptor Security Index, September 2018
When assessing the fitness for corporate use, it is not very surprising that apps for processing of corporate data are quite critical. In particular, the functional class of the File Manager apps shows a significant risk of usage with 73% iOS apps classified as unsuitable for corporate use (see figure). This is even higher with Android at 86%. The reasons for the blacklisting of both platforms are a very high ratio of IT security weaknesses and privacy relevant risks.
The report also shows new test insights about security characteristics of apps using the MultipeerConnectivity API from iOS. This API allows developers to easily implement a direct exchange of data between devices via wireless communication. This can be done both authenticated and encrypted, but the appropriate options have to be used by the developer.
Poor / Missing cryptography: Endangerment of company data during peer-to-peer transmission due to lack of encryption and authentication. Demonstrated here with AirDroid for iOS (version 1.0.3)
The Appicaptor analyses show that 40% of the iOS Apps with this functionality neither encrypt the transmission nor authenticate the communication partners. As illustrated by the example of the AirDroid iOS App (version 1.0.3), an attacker can passively read the transmissions. For 20% of the iOS Apps with this functionality the transmission is at least encrypted, but without checking the authenticity of the communication partner. An active man-in-the-middle attack would then still be possible.
The experts at Fraunhofer SIT annually compile the Appicaptor Security Index, in which they publish the results of security investigations of the Top 2,000 free iOS and Android apps.
The Appicaptor solution developed by Fraunhofer SIT automatically scans large quantities of iOS and Android apps, examines them for IT security and compliance with information protection requirements, and assesses whether they are suitable for corporate or government use. Appicaptor either works with standard rules or makes recommendations according to individual security requirements. The tests can be automatically repeated weekly so that even changes to frequently updated apps can always be taken into account.