More than 80 percent of mobile devices have encryption flaws, while an application written in any of a trio of scripting languages—including PHP, ColdFusion and Classic ASP—are more likely to have serious flaws.
Developers have botched encryption in seven out of eight Android apps and 80 percent of iOS apps, according to Veracode's State of Software Security report.
http://www.eweek.com/security/more-than-80-of-mobile-apps-have-encryption-flaws-study-finds.html
Craig Young, Security Researcher at Tripwire: “SSL implementation flaws are incredibly prevalent in mobile apps and present grave risks due to the tendency of these devices to use untrusted wireless networks. I believe that a common source of this problem is that developers add logic to specifically disable certain SSL features (namely certificate validation) so that the app can be tested internally without spending money on certificates issued by trusted authorities. This is fine unless the code to bypass certificate checks is not removed before releasing the app for distribution. In my testing, I have identified apps sending everything from phone numbers and email addresses to GMail and other credentials without validating the remote server certificate.
SSL implementation failures can also extend beyond exposed information by allowing network level adversaries to inject malicious content into vulnerable applications. This can be a powerful infection vector as JavaScript running within an app may not always be bound to the same restrictions as it would within a browser due to variations on how the same origin policy is applied.”