Expert testing of iOS and Android mobile applications shows that in most cases, insecure data storage is the most common security flaw in mobile apps.

Positive Technologies’ yearly report, Vulnerabilities and Threats in Mobile Applications 2019, found that critical vulnerabilities are slightly more common in Android applications, compared to their iOS counterparts (43% vs. 38%). The experts categorize this difference as minimal: the security level of mobile apps is roughly equivalent between the two platforms.

Insecure data storage was identified as the most common vulnerability. This flaw is found in 76 percent of mobile apps and in some cases could enable hackers to steal passwords, financial information, personal data, and correspondence.

Of the vulnerabilities found, 89 percent could be exploited by malware. The risk of infection jumps on rooted and jailbroken devices, but malware can also elevate privileges by itself. Once on the victim’s device, malware can ask for permission to access user data and, if permission is granted, the malware can send data to the attackers.

“In 2018, mobile apps were downloaded onto user devices over 205 billion times. Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information. However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. Stealing data from a smartphone usually doesn’t even require physical access to the device,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.

“We recommend that users take a close look when applications request access to phone functions or data. If you doubt that an application needs access to perform its job correctly, decline the request. Users can also protect themselves by being vigilant on not opening unknown links in SMS and chat apps, and not downloading apps from third party app stores. It’s better to be safe than sorry,” Galloway concluded.

As shown by the research, the server side of applications (hosted by the developer and responsible for storing, processing, and synchronizing information) is just as weak as the client side: 43 percent of server-side components have a poor or extremely poor protection level. One third (33%) contain critical vulnerabilities. The most common high-severity vulnerabilities on the server side include insufficient authorization and information leakage.