An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.
Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.
Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.
Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.
Around one in 12 (8 per cent) of applications phoned home or otherwise connected to uncertified servers. “Among these, some [certificates] have expired and are available for sale. Anyone buying them could access all the data they receive,” Pradeo warns.
Pradeo’s team also discovered that the vast majority of the apps leaked the data they processed. Failings in this area were many and varied.
- Application file content: 81 per cent of applications
- Hardware information (device manufacturer, commercial name, battery status…): 73 per cent
- Device information (OS version number…): 73 per cent
- Temporary files: 38 per cent
- Phone network information (service provider, country code…): 27 per cent
- Video and audio records: 19 per cent
- Files coming from app static data: 19 per cent
- Geolocation: 12 per cent
- Network information (IP address, 2D address, Wi-Fi connection state): 12 per cent
- Device identifiers (IMEI): 8 per cent
Pradeo Security said it had notified the vendors involved about the security problems it uncovered in their kit. ®