Top 10 Vulnerabilities in Mobile Applications by Atman Rathod

Top 10 Vulnerabilities That Every Mobile App Developer Should Be Concerned About 

Mobile apps across operating systems often remain vulnerable to certain security risks and malware attacks responsible for pulling down app performance and exposing the app to risks such as data theft, data leakage and malware attacks. Naturally these vulnerabilities always remain as the top of the list priorities for the developers to address. 

This is why it is always important for the developers to have an in-depth understanding of these vulnerabilities and effective measures to address them. Many of these security vulnerabilities result from bad practices corresponding to data storage, not giving importance to data encryption and practices such as sideloading. Only having a deeper understanding of these security issues and vulnerabilities, a mobile app can ensure best security practices to combat risks and vulnerabilities. 

Let us now explain the top 10 vulnerabilities that most mobile apps suffer from. 

  1. Binary Protection: Inefficient Detection of Jailbreak or Rooting 

To run malicious code on the system Rooting or jailbreaking is carried out by compromising data protection measures and encryption right inside the system. Now when such actions force the device security to get compromised, running malware or any type of malicious code or programs becomes easier. With such attacks the app logic can behave differently. This is why the lack of binary protection resulting in the failure of detecting jailbreaking can really have serious consequences on the app performance. 

How To Address It? 

The mist elementary practice would be to avoid running the app in any jailbroken or rooted devices. The second solution will be to detect any jailbreaking or rooting which is underway. Detecting the compromised device is the biggest security task to stay clear of such vulnerabilities. The binary protection through the detection of jailbreaking is key to the security setting to address such vulnerability. The principal objective should be mitigating risks for preventing the exposure of app data vulnerable to security risks. 

  1. Binary Protection: Insufficient Code Obfuscation

This vulnerability is more common to Android which happens to be the commonest mobile OS for the vast majority of devices. the most common phone OS. Since Android is basically a Java-based operating system and Java applications run the risk of being reverse engineered, you have to ensure security by scrambling or obfuscating the code. Google also provided a great tool called ProGuard which being part of the Android SDK can shrink or obfuscate the code by simply dropping the unused code from the app. This is also done by renaming various fields, classes and methods with obscure names. With the obfuscation of the code and renaming of these fields, reverse engineering the file becomes difficult. The smaller .apk file size also makes it difficult for reverse engineering. 

How To Address It? 

ProGuard is an integrated tool in the Android build system that can work without needing you to invoke manually. ProGuard can just take care of the protection as and when you run the app in release mode. This also helps you as you can just run the app in debug mode without obfuscated code. For Android apps using ProGuard is extremely recommended as this tool can really improve security in these systems. 

  1. Lack of Transport Layer Protection

During network communication it is extremely important to give safeguard to the sensitive data passing through. But many applications simply fail to encrypt the network traffic and this creates a lot of security issues. The data encryption for network communication which is generally of TLS (Transport Layer Protection) kind is very necessary for safeguarding all communication on the network including the web pages, authenticates connection, etc. in the same manner, encrypting backend connections is equally required to prevent risking exposure of the sessions to malicious programs working as the host.   

Data encryption is required more for safeguarding all sensitive information that remains vulnerable to theft, breaching or other types of security risks. For example, financial data, credit card information, health information, administrative data, high-value corporate data, etc always remain vulnerable to security risks. 

How To Address It? 

As a solution the app developers must create a security constraint to ensure optimum confidentiality and secure transport of information. This provides assurance that all the information sent during a network communication remains cannot tamper in the process. If the firewall of a system or the load balancer or the hosting solution requires terminating the encryption, the data should again be re-encrypted when the data comes out and goes to the intended destination. 

  1. Information Leakage 

Information leakage happens at various stages including both at the client-side and the server-side. The leakage of information is a typical weakness common to many apps. This crucial vulnerability can be responsible for exposing technical details of a web app, network environment and user data. Such sensitive data can be used by the attacker to exploit the app to fulfill its malicious motives. 

Information leakage from the servers is resulted due to certain conditions such as failure in scrubbing out HTML comments that include mission-critical data. Such vulnerability can also result in bad server configuration and shortcomings in respect of page responses.  

How To Address It? 

The most pertinent way to solve this vulnerability is to drop all unnecessary information from the responses of the server. This will prevent the app from giving excess network information to the attacker than what is required. 

  1. Non-optimized Authorization/Authentication

Lack of authorization is another key security vulnerability which is basically resulted in and when an app doesn't carry out required checking of the user authorization in the context of certain tasks. The app should carry out checks of the authorization being consistent with the security policy. Failing to do that can expose the app to security risks. 

How To Address It? 

The authorization process must enforce permission rules for the user actions, services and the app responses in different contexts of use. This means simple user authentication for using a website should not permit the user to access all content on the website. There should be separate authentication procedures for different sensitive content. To ensure this, one has to use a time-tested authorization framework scheme insisting on configuration based on particular policy regarding access to different content and app features. 

  1. Brute Force: User Enumeration

Most cyberattacks with mobile and web apps begin by determining the user activity status in the app. Well, there are several ways an attacker can determine whether a user is active in the system. A brute force attack is one of these methods to bypass a whole array of possible values in an automated system. Such an attack basically utilizes the advantage of the smaller value of the entropy compared to the perceived one.  

To explain this, let us take the help of an example corresponding to the use of password. Just an alphanumeric password with 8 characters is likely to have 2.8 trillion possible values. But in spite of such a huge number of options, most users will choose passwords using just a limited subset of characters representing easy to guess words and terms. This allows malicious attacks to find out a valid user credential on the basis of differences perceived from an error message regarding wrong password. 

How To Address It? 

Since login credentials are most vulnerable to such attacks and security risks, the app should completely stay away from revealing any input whether they are valid or invalid for user credentials. Instead of telling that the username and password are invalid, the prompt can say, “Please try again with correct password”. 

  1. Information Leakage- Application Cache

The sensitive data of an app is also vulnerable to leakage from app caches. Such leakage takes place in two different ways. The leakage happens either right from the core app codebase or through third-party tools and frameworks. Whenever a mobile device is stolen or accessed temporarily by others in an unlocked condition, the cached data can be accessed by the attackers right from the physical handsets. 

How To Address It? 

To address this problem it is extremely important for the app to prevent leakage of sensitive information from the app cache. To prevent accessing app caches in from an unlocked device, app developers can create a threat model for the respective operating system platform and framework, to track the way data is being handled through various caching procedures corresponding to URL, keyboard presses, logging, copy or paste actions, app background, browser cookies, HTML5 storage, and data analytics.

  1. Cryptography – Improper Certificate Validation

Cryptocurrencies are increasingly becoming common for financial transactions across apps. They draw particular attention from the cybersecurity experts because of the increased security vulnerability they present, the attackers trying to get access to cryptographic data becomes mainly successful when the app has not used proper validation of SSL/TLS certificates. This vulnerability also takes place when the attacker can take advantage of a non-optimized SSL/TLS certificate validation system that works without verifying the trustworthiness of the certification.

How To Address This? 

The app must ensure that the certification used comes from a trustworthy source with a reliable industry-validated authority for certification. The app can also incorporate the latest certification standards in its codebase that are approved by regulatory bodies such as IETF.

  1. Lack of Session Expiration

Many times the security vulnerabilities of an app increase principally because of the sessions that continue to stay active after the user leaves a website or an app. The attackers by identifying an inactive user and live session of the app can actually impersonate the user to carry out unwanted actions.

How To Address It? 

To address this security vulnerability, the app must have a standout security button and should automatically make a session invalid after a threshold time limit is crossed. The second option is really effective for certain apps dealing with critical information like banking and finance. 

  1. Information Leakage – Sensitive Data

Though data leakage from the server has already been discussed as a vulnerability, there are other leakage threats within the app, from one app to the other, etc. 

How To Address This? 

Information leakage can occur specifically for certain resources and globally for the whole app. The global leakage occurring mostly from framework version disclosure can be prevented through configuration setting while the leakage corresponding to specific resources can be averted by avoiding to share sensitive files, personal information, etc.

Conclusion 

The mobile app vulnerabilities are multifaceted and multifarious. Without keeping a sharp eye on them and without taking proactive measures for each of them, no developer can comprehensively safeguard the app from security risks and attacks. The solutions we have mentioned above can be effective to keep your app up to date in dealing with all risks and vulnerabilities.


About the Author:

Atman Rathod is the Co-founder at CMARIX TechnoLabs Pvt. Ltd., a leading web and mobile app development company with 13+ years of experience. He loves to write about technology, startups, entrepreneurship and business. His creative abilities, academic track record and leadership skills made him one of the key industry influencers as well.

Social Links: Linkedin - https://www.linkedin.com/in/rathodatman/

Twitter - https://twitter.com/RathodAtman

Skype: atman.rathod

Medium: https://medium.com/@rathod.atman

Facebook: https://www.facebook.com/CMARIXTechnoLabs/

 

January 30, 2020
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013