Third of Hong Kong apps vulnerable to hack attacks as watchdog calls for urgent security improvements

PUBLISHED : Tuesday, 15 September, 2015, 7:00am
UPDATED : Tuesday, 15 September, 2015, 11:09am

A Hong Kong watchdog has warned local app developers to boost security after a third of commonly used apps were found to have insufficient encryption or to be vulnerable to hacking attacks.

A study of 130 Hong Kong apps, which included cinema ticket booking and mobile banking services, by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), found 34 per cent of services did not apply standard security technology such as SSL certificates.

“If a mobile app does not validate the digital certificate, fraudsters can set up a fake wi-fi access point and use fake certificates to seize and modify the data transmitted,” said Eric Fan, chairperson of the Professional Information Security Association, which jointly ran the study with HKCERT.

“This will inflict serious data and financial losses on apps users.”

The study recommended developers apply SSL certificates, which allow sensitive information including credit card numbers to be transmitted securely and to validate digital certificates for transactions made through the mobile-based services.

Digital wallets and mobile banking apps were found to have the strongest security, with 87 per cent ranked as “secure” and “most secure.”

In comparison, financial securities and online shopping or travel booking apps had the weakest security level and were classed by the study as “vulnerable” or “serious,” meaning they had no encryption.

App users were warned to avoid transmitting sensitive data using public wi-fi networks.

In July, researchers for cybersecurity firm F-Secure set up free public wi-fi hotspots in six places throughout the city to test the public's security awareness surrounding public wireless networks.

In 60 minutes, more than 1,200 devices, mainly smartphones, were detected by the networks. Over 50 per cent of those devices connected to a hotspot, either deliberately or without their owner's knowledge through an "auto-join" feature.