Businesses rely on mobile apps more than ever. And with social distancing being a new normal, mobile apps are a boon. In order to stay ahead of the competitors, organizations are frequently adding new functionalities to their apps. Sometimes, the app security is compromised in pursuit of adding latest updates.
In this edition of expert series, we will discuss the common mobile application vulnerabilities along with their resolutions.
Mobile App Security Attacks
A huge number of app-related data breaches have taken place this year. Some of the largest breaches include:
As per the Financial Times, there was a vulnerability in WhatsApp VOIP function that was exploited by hackers by calling victim’s phone.
Around four million weakly encrypted email ids and passwords of Android dating app ‘MobiFriends’ were stolen.
Over 20 million users had data from a major online grocery ‘Bigbasket’ leaked.
The US pharmacy chain 'Walgreens’ mobile app contained an error that allowed users to see other users' private messages.
Mobile Application Vulnerabilities
1. Weak Server-Side Controls
The main reasons for server-side control issues are:
- Frequent updates and teams rushing to market.
- Expecting mobile operating system to take complete responsibility for the mobile app security.
2. Insecure Data Storage
Storing personal or sensitive data such as credit card numbers or passwords requires a secure mechanism. Developers use files and databases to store data on the client-side in mobile apps assuming that will restrict users from accessing the data.
Attackers can easily root or jailbreak the mobile device and compromise the security of mobile apps.
3. Unintended Data Leaks
Common data leakage points that you should monitor:
- Copy/paste buffer caching
- Browser cookie objects
- URL caching
- Keyboard press caching
- Data analytics shared with third-parties
4. Poor Authorization and Authentication?
PIN codes are being used in most of the mobile apps for authentication. It’s an insecure practice as PIN codes are stored on the mobile device and attacker can steal this data easily.
5. Improper Session Handling
OAUTH tokens and cookies are used for session management in mobile apps. Effective session handling should make a mobile app authenticate users through the backend and then issue a session cookie to the mobile app.
Preventions Against Vulnerabilities
- Scan your mobile apps for security vulnerabilities.
- Avoid storing sensitive data on phone filing systems.
- Use a standard encryption library, e.g. CryptoKit in iOS to store information.
- Hire security testers to test authentication and authorization mechanisms, and attack the mobile app in offline mode.
- All authentication requests should be performed on the server side.
- To enable proper session handling, configure session timeouts in the login server connection to a value less than the session timeout on the server-side.
- Mobile apps should handle session tokens properly and efficiently.
Ensure Source Code Encryption
Any reverse engineering attack and tampering can be defended by encrypting the source code.
Perform Penetration Tests and Thorough QA
Pen testing is highly recommended to expose mobile app security vulnerabilities.
Secure the Data-in-Transit
Use SSL or VPN tunnel for secured data transmission.
Use Latest Cryptography Techniques
Use encryption techniques like AES with 512-bit encryption and 256-bit encryption.
Implement High Security Authentication Mechanism
Implement strong passwords mechanism. Users should be asked to change their passwords periodically. For extremely sensitive apps like banking apps, use strong authentication such as biometrics, fingerprints, and retina scan.
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org