Appknox reveals 75% of India’s top 100 Android apps have contained security risks

Appknox has released a report, titled, “Evidence-based Insights – India’s Top 100 Android Mobile Apps tested for Cybersecurity”. Over the past few years, our dependencies on apps have increased tremendously. These apps have access to so much sensitive data, Appknox helps businesses and customers understand the security risk.

According to research by the Data Security Council of India (DSCI), India's cyber security industry nearly quadrupled during the pandemic, with revenues from cyber security goods and services rising from $5.04 billion in 2019 to $9.85 billion in 2021. Rapid digitalization, more regulatory attention on data and privacy, and growing boardroom understanding of cyber dangers, among other factors, all contributed to the surge. Given the buzz and awareness for cybersecurity, it becomes essential to perform reality checks and analyse where the Indian Android App market stars stand in terms of cybersecurity performance.

In this report, Appknox presents the mobile security assessment report of the Top 100 android mobile app. Here’s why the company chose 100 Indian Apps:

India is now the #1 country globally regarding the number of apps installed and usage per month (Source: Forbes). With one of the largest user bases and the volume of critical data at risk, it becomes essential to assess the security performance of some of the most popular and trusted Indian apps.

Appknox put all the 100 applications through a rigorous automated testing process using Appknox, our mobile app security solution. As a part of this security testing process, each application went through 14 different test cases. According to security standards accepted globally, all these tests are the basic security checks that each mobile application should ideally go through. These checks help determine essential parameters like how data is being stored by the app, how much is shared and accessible, are payments secure, is there a possible loophole that can lead to data leakages, and more.

Harshit Agarwal, CEO of Appknox says, “Be it the early birds or the giant Fortune 500 companies, Appknox has ever been instrumental in building a safe and secure mobile ecosystem for businesses all over the globe by utilizing its system plus human approach to beat the hackers at their own game. We put together this report so that app developers realize the importance of creating apps with no vulnerabilities.”

What were the Most Prominent Vulnerabilities Detected in these Apps?

The research found that some of the most prominent Indian apps lag on even the most basic security checks. Some of the critical vulnerabilities detected in these apps included:

1. 79% of the Apps were affected by Network Security Misconfiguration: Organisations should keep the minimum information necessary. If eBay wouldn’t have stored unnecessary information like dates of

birth and addresses, the risk of identity theft after the attack would have reduced massively.

2. 79% of the Apps had Disabled SSL CA Validation and Certificate Pinning: Certificate Pinning is the process of associating a host with their expected X509 certificate or public key. When a certificate or public key is seen on a host, it is associated or "pinned" to that host. Suppose more than one certificate or public key is acceptable. In this case, the advertised identity must match one of the elements in the

pinset.

3. 78% of the Apps lacked sufficient code obfuscation: Java source code is typically compiled into Java bytecode – the instruction set of the Java virtual machine. The compiled Java bytecode can be easily reverse-engineered back into source code by freely available decompilers. Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Insufficient obfuscation might lead to threat actors decompiling or reverse-engineering the code.

4. 42% of the Apps had Insufficient Transport Layer Protection: Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server. Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecured channels. Whether the data is transmitted through the carrier network or WiFi, it will end up through the Internet before it can reach the remote server.

Some Mobile App Security Best Practices to Mitigate these Risks:

Mobile applications must be created in a manner to run in a hostile environment prone to frequent attacks. And given the widespread vulnerabilities detected in Indian Android apps, its high time businesses adopt these mobile app security best practices.

Do Not Hardcode Credentials: It has frequently been seen that available credentials are put to hardcore by mobile app developers. Also, rather than waiting for users to authenticate credentials for applications, here credentials and services used by the applications are put to authentication.

Reduce App Permissions: Permissions empower apps, but this also creates many risks. Unnecessary permissions, even in a legitimate app, can result in causing privacy and compliance hazards and become a target for attackers.

Certificate Pinning Should be Used Wherever Possible: Mobile applications get connected from unsecured networks rather than from protected web applications most of the time. This is certainly because these apps are always used on the go. One of the best techniques to counter attacks such as man-in-the-middle attacks that can occur over these networks are through certificate pinning.

Switch to Automated Mobile Application Security Testing: Enterprises should conduct regular security testing on the application to prevent vulnerabilities present in the application and ensure best coding practices that are secure as well.

Maintain Compliance With Standards and Regulations: Ensure your app complies with the leading industry standards like OWASP (Open Web Application Security Project) , PCI DSS ( Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), and ISO:27001. This would enhance the security readiness of your app and strengthen the trust among your customers.

Upgrade to DevSecOps: DevSecOps lets you address security issues right from the get-go with little to no effort in addressing every security issue that causes potential risks. This could also be your business's potential competitive advantage for faster time to market and uninterrupted business activities.