It’s no secret that mobile apps are well on their way to capturing the lion’s share of consumer’s attention. Organizations of all sizes are compelled by either consumer demand or competitive pressures to aggressively build their own consumer facing mobile apps.
Mobile app development projects place a premium on time to market and often this places even greater pressure on security quality testing. Vulnerabilities in a mobile app if exploited by a malicious entity can negatively impact the trust of consumers, employees and partners place in the organization. The issues surrounding mobile app security have proven much more complex than those around web applications when it comes to threat modeling. With mobile, it’s not just about code running on devices, but depends heavily on device security – taking into account different versions, interfaces, platforms, and device integrity (i.e. jail broken).
It’s surprising to see the minimal effort put into finding and resolving common mobile app security vulnerabilities. Be it an internally developed corporate app, a third-party app or something in between, it probably has vulnerabilities. When analyzing security of a mobile app, developers perform three major checks: client-side, server-side and the protocols by which data is transferred between them. The following are common Mobile app security risks that you need to be on the lookout for:
Mobile Data Encryption at Rest
Mobile platforms and development kits come with a plethora of options to securely store and encrypt data. The problem is that most developers don’t utilize these API’s – whether it’s storing passwords plain text on the file system or leaking personal information via “features”.
- Insecure Data Storage: Trace all the routes of data out of an app and flag code elements that can lead to compromised data (e.g. saving unencrypted data, use of cloud storage)
- Improper Session Handling: The use of the Universally Unique Identifier (UUID) and verify it is not being used for session management
- Malicious code injection, such as requests or queries that can trip up the app and cause it to divulge otherwise protected information;
Mobile Data Encryption in Transit
Since mobile devices are everywhere and connect to a large number of untrusted networks, encrypting traffic in transit is paramount. Even those who manage to use HTTPS when communicating to the web with a mobile app can misconfigure this protection.
- Insufficient Transport Layer Protection: If appropriate Secure Socket Layer (SSL) or Transport Level Security (TLS) capabilities are being employed for data in transit
- Client-Side Injection: Trace all the routes of data into an application and validate if input validation is being performed to counter core injection attacks (i.e. SQL injection)
- Poor Authentication and Authorization: Areas where user is challenged and trace where ID’s and passwords enter and exit the application
- Login-related weaknesses, such as being able to bypass the login prompt to perform functions like interacting with external Web applications and services;
Mobile Application Back-ends
Almost all mobile applications communicate with a back-end. They can be pulling down a website’s content, using an API, uploading and downloading files, etc. These back-ends are subject to the same web application security flaws that we have been battling as an industry for years.
- Weak Server Side Controls: Scans the back-end APIs calls
- Side Channel Data Leakage: Uncover data leaking to various data sinks such as clipboard, and log files etc.
- Sensitive Information Disclosure: Similar to side channel data leakage, identify specific data elements are not leaving the app (e.g. to the network, via notifications, to peripherals etc.)
Others – Broken Cryptography such as keys hard-coded into the app that can be accessed using mobile forensics tools, Mishandling of sensitive information such as storing it locally and transmitting it over the network unencrypted; These are just a few examples, but the possibilities are endless given the growing complexity of mobile computing.
As for application security testing options, there are mobile app source code analyzers, tools that sandbox the apps to check for flaws and, then the good old-fashioned manual analysis. Mobile app security assessment also follows the same step by step procedure as a normal application security assessment such as – Threat Profiling >> Test Planning >> Test execution >> Reporting.
Even with such potential business risks, I see many organizations that don’t include mobile apps in their information security program. Whatever the reason, you have to test the security of your mobile apps before a vulnerability is exploited. Get started on it now of your own volition before someone else forces you to.