Risks Specific to Mobile Applications
Security | Thursday, 27 February 2014
The increased usage of mobile applications running on smart phones or tablets raises new threats that can exploit vulnerabilities of these new technologies.
The user habits, the characteristics of mobile devices, the skills available on the market and the desire of businesses to come up with services for mobile platforms as soon as possible make mobile applications more vulnerable than traditional web services. According to OWASP, the most significant mobile applications risks are:
- Weak Server Side Controls - Bad mobile application server code is caused by the rush to market, lack of security knowledge, frameworks that don’t prioritize security, lower security budgets for mobile applications, cross-platform development and compilation.
- Insecure Data Storage- Devices file systems are often easily accessible through rooting or jailbreaking a device. Where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools.
- Insufficient Transport Layer Protection - If the application is coded poorly, threat agents can use techniques to view this sensitive data while it's traveling across the network.
- Unintended Data Leakage - Unintended data leakage is a branch of insecure data storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.
- Poor Authorization and Authentication - Less authentication factors, local authentication leading to client-side bypass vulnerabilities, usage of persistent authentication (remember me) functionality.
- Broken Cryptography - The creation and use of custom encryption algorithms, use of insecure and/or deprecated algorithms, poor key management.
- Client Side Injection - Supplied data is not being subject to proper input validation, disallowing code injection is not effectively implemented.
- Security Decisions Via Untrusted Inputs - The mobile application does npt restrict access based on a white-list of trusted applications when Inter Process Communications (IPC) are involved, and sensitive actions which are triggered through IPC entry points does not require user interaction before performing the action.
- Improper Session Handling - Failure to invalidate sessions on the backend, lack of adequate timeout protection, failure to Properly Rotate Cookies, Insecure Token Creation.
- Lack of Binary Protections - Hosting code in an untrustworthy environment, an environment in which the organization does not have physical control. This includes mobile clients, firmware in appliances, cloud spaces, or data centers within particular countries.
Infologica offers security audit and penetration testing services to help our customers to evaluate their exposure related to the usage of mobile applications.