Mobile application assesment by the numbers: a holistic view

In addition to exposure from their web applications, organizations are realizing their expanding portfolio of mobile applications also provides an avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts - they have code that runs on untrusted user devices, code running on corporate web services, and often also rely on untrusted 3rd party web services. In addition, testing these applications can be challenging - given the array of available static and dynamic scanners as well as a variety of manual testing options what sort of testing needs to be done to achieve an acceptable level of coverage? We looked at the data from a number of mobile application security assessments and conducted an analysis. The goal was to answer questions such as: What types of vulnerabilities are most common in mobile applications? In what component - mobile device code, corporate web services or 3rd party web services - are the most serious vulnerabilities found in mobile application systems? What type of testing - static versus dynamic and automated versus manual - found the greatest number and most serious vulnerabilities?