Back To Main Menu
Timothy JosephA huge number of app-related data breaches have taken place this year. Some of the largest breaches include:
-
As per the Financial Times, there was a vulnerability in WhatsApp VOIP function that was exploited by hackers by calling victim’s phone.
-
Around four million weakly encrypted email ids and passwords of Android dating app ‘MobiFriends’ were stolen.
-
Over 20 million users had data from a major online grocery ‘Bigbasket’ leaked.
-
The US pharmacy chain 'Walgreens’ mobile app contained an error that allowed users to see other users' private messages.
Mobile Application Vulnerabilities
-
1. Weak Server-Side Controls
The main reasons for server-side control issues are:
- Frequent updates and teams rushing to market.
- Expecting mobile operating system to take complete responsibility for the mobile app security.
-
2. Insecure Data Storage
Storing personal or sensitive data such as credit card numbers or passwords requires a secure mechanism. Developers use files and databases to store data on the client-side in mobile apps assuming that will restrict users from accessing the data.
Attackers can easily root or jailbreak the mobile device and compromise the security of mobile apps.
-
3. Unintended Data Leaks
Common data leakage points that you should monitor:
- Copy/paste buffer caching
- Browser cookie objects
- URL caching
- Keyboard press caching
- Data analytics shared with third-parties
-
4. Poor Authorization and Authentication?
PIN codes are being used in most of the mobile apps for authentication. It’s an insecure practice as PIN codes are stored on the mobile device and attacker can steal this data easily.
-
5. Improper Session Handling
OAUTH tokens and cookies are used for session management in mobile apps. Effective session handling should make a mobile app authenticate users through the backend and then issue a session cookie to the mobile app.
Preventions Against Vulnerabilities
- Scan your mobile apps for security vulnerabilities.
- Avoid storing sensitive data on phone filing systems.
- Use a standard encryption library, e.g. CryptoKit in iOS to store information.
- Hire security testers to test authentication and authorization mechanisms, and attack the mobile app in offline mode.
- All authentication requests should be performed on the server side.
- To enable proper session handling, configure session timeouts in the login server connection to a value less than the session timeout on the server-side.
- Mobile apps should handle session tokens properly and efficiently.
Best Practices
Have Suggestions?
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com
