Veracode finds Android developers building insecure apps

Some 80 per cent of applications are still not secure enough, and coding errors potentially render nearly half of all Android apps insecure, according to the latest report from application risk management firm Veracode.

The fourth volume of the vendor's State of Software Security Report covered nearly 10,000 apps - double the number in previous volumes - and applied much more rigorous analysis criteria.

Around eight out of 10 apps failed to meet acceptable standards, according to the report, which found cross-site scripting flaws in 68 per cent of all web apps and SQL injection vulnerabilities in a third.

The report also covered mobile applications for the first time in response to the trend towards IT consumerisation in the workplace, and found that developers in this area make similar coding mistakes to their enterprise app counterparts.

Over 40 per cent of the Android apps analysed featured hard-coded cryptographic keys, effectively rendering obsolete any security mechanisms which depend on the secrecy of such keys.

Hackers can easily reverse engineer an app by copying the executable from their phone, making it all the more important not to embed information like this into the application. Android apps are particularly easy to decompile, according to the report.

Only 17 per cent of all non-Android Java apps had at least one instance of hard-coded cryptographic keys, the report found.

"The findings are depressingly familiar to those that we've seen in web applications, particularly with the use of hard-coded cryptographic keys," Veracode EMEA vice president Matt Peachey told V3.

"Given the unique mix of personal information and access to corporate systems available on modern smartphones, it's important that the applications themselves don't provide hackers with easy access."