Every day in Bosnia and Herzegovina, more and more users use mobile applications in everyday life. What little attention is paid to is the security of those applications.
The problem
Data leaks, identity theft, and money embezzlement are just some of the security vulnerabilities that occur on a daily basis. The goal of Klika Research is to get a complete picture of the security of mobile applications used in Bosnia and Herzegovina.
The number of mobile phone users in Bosnia and Herzegovina is constantly growing. According to the data from the Agency for Statistics of Bosnia and Herzegovina from 2017 (presented in the report “Telecommunication Equipment, Networks and Services, BiH, 2017”), there were more mobile devices than inhabitants in Bosnia and Herzegovina – 3.5 million. In addition, the number of mobile internet users is growing by the day – 1.5 million (according to the 2017 report).
The Klika team (Klika Security Sense) working on application security, has conducted a survey of the current state of the market for mobile applications intended for users in Bosnia and Herzegovina. This research included about 100 mobile applications from several categories: Finance, Food, Government, Media, News, Online Shopping, Sports and Transportation.
Findings
The survey results showed that most applications did not meet basic safety standards - the average score was 40 out of 100 points and the CVVS score was 5.4 ( which belongs to the middle risk category).
Keep in mind that applications that do not have any security vulnerabilities have 100 points, while for each vulnerability, depending on its severity, this number is reduced by a certain number of points. In particular, the applications from the financial sector performed poorly - if only native mobile applications are taken into account, the financial sector has a score of 24 out of 100.
During the analysis, we noticed that most applications have at least some security vulnerabilities, while the most common vulnerabilities were:
• Leakage of sensitive information – PII data (Personal Identifiable Information) can be often find in logs;
• Susceptibility to phishing attacks - The ability to present other applications / systems as genuine, thus accessing data that should be protected;
• Man in the Middle Attack - With this type of attack, simple network proxies can access data that an application sends and/or receives over a network (even if it uses the https security protocol);
• Mobile malware - The ability for other applications to access or interact with the data of the original application without the user’s knowledge;
• Financial fraud - Misuse of a part of the application as a starting point for social engineering to obtain financial gain;
• Repacking and cloning - Applications can be decompiled, modified (add new behavior) and published on non-standard app stores;
• Insufficient data encryption - Modern applications often store data in some form of local database, and very often such data is poorly or not at all protected.
It turned out that the most common target of cyber criminals is the financial sector. In the past 12 months (year 2020), we have witnessed an increase in attacks on the banking sector in Bosnia and Herzegovina. Attacks ranging from DDoS attacks, card theft to highly sophisticated attacks on ATM networks.