A new security report from Checkmarx claims that the walled garden that is Apple’s App Store may not be the safe haven it’s hyped up to be. The report specifically claims that iOS apps have a greater percentage of critical or high severity security vulnerabilities when compared to Android apps.
For purposes of the report, a critical vulnerability is defined as one “that exposes a major security risk with a direct exploit (not needing user involvement). If exploited, the security threat might cause major damage to the application and/or have major impact on the company.”
All told, report claims that the notion of iOS apps being much more secure than Android apps is arguably a myth at this point.
CSO highlights a few of the report’s findings as follows:
Of the iOS vulnerabilities, 40 percent were critical or high severity, compared to 36 percent of the Android vulnerabilities, said Amit Ashbel, product marketing manager at Checkmarx.
Researchers tested hundreds of applications of all types, including banking, utilities, retail, gaming and security — and even major banking applications had vulnerabilities such as faulty authentication and data leakage.
“You would expect the financial applications to be a bit more secure, but we’re seeing that more or less they’re all the same,” Ashbel said.
Interestingly enough, security researchers found that the most widespread vulnerability centers on apps leaking personal and sensitive consumer information.
Now, to be fair, it’s incredibly easy to fudge numbers with statistics, and it remains unclear if iOS is truly more dangerous than Android. After all, the report seems to focus on percentages rather than raw numbers.
Consider this scenario: 10 apps on the App Store have security holes. Of that group, 4 vulnerabilities are deemed to be critical, yielding the 40% figure Checkmarx cites above. At the same time, imagine that 100 apps from the Google Play store have security holes. And from that group, say that 36 are deemed to be of a critical nature, yielding a 36% figure. Without knowing the raw numbers, the percentages tell us absolutely nothing.
Still, we don’t want to summarily dismiss Checkmarx’s findings out of hand, especially in light of reports that a popular app on the App Store has been aggregating Instagram username and passwords and sending them off to a remote server. What’s more, the app in question, called InstaAgent, was also publishing unauthorized images to user accounts without their permission.
The app has since been pulled from the App Store, but not before becoming the top free app across the UK and in Canada. The app was also available on Android, but one would think that Apple, with their vetting process, would have spotted the problem-child earlier. Even crazier, Google removed the app from the Google Play store before Apple removed it from the App Store.
Again, Apple’s beloved walled garden may not be as pristine as we’ve all been led to believe.