Slowing down is not a possibility - security cannot afford to lag behind. This is particularly true for businesses eager to enter the mobile application race. As apps form a greater proportion of our online experience, it's vital to understand the security issues and vulnerabilities they could pose to users and your organization.
The Mobile OWASP Top 10 is a great online resource if you want to learn more about mobile application security. The list combines platform-specific guides and general best practices to aid the development of secure mobile apps, increase industry awareness and promote dialogue on this topic. The goal of the list is to create an industry standard, which categorizes malicious functionalities, giving security and development teams the ability to identify risks and mitigate them. Application security solution provider Checkmarx has reviewed the OWASP Top 10 to explain each vulnerability and the techniques to avoid them:
1. Weak Server-Side Controls
Every app communicates with a backend, leaving your sensitive server-side data accessible to unauthorized users. This may not seem very mobile-specific but it’s topped the OWASP list due to the severity of the potential data breaches and the fact mobile apps can introduce additional risks into existing architectures. To overcome this issue, never trust the client. Design your server-side controls for mobile devices and don't use client applications to enforce access control.
2. Insecure Data Storage
A flaw in one app opens up access to locally stored files on a device and exposes any sensitive information stored in the app. Privacy violations, non-compliance and data breaches could all occur as a result. Encryption is one way to prevent such a vulnerability, as well as only caching data intended for long-term storage.
3. Insufficient Transport Layer Protection
SSL/TLS authentication ensures data cannot easily be leaked, tampered with or intercepted by man-in-the-middle attacks eager to control user and administrative accounts. Again, ensure all sensitive data is encrypted over all networks, your SSL certificate is up-to-date, your app is configured for SSL/TLS over an entire user session and monitor network traffic for such attacks.
4. Unintended Data Leaks
Seemingly innocuous actions on your app, such as storing clipboard data and keystroke logging, could cause data leaks resulting in fraud, reputational damage and privacy violations. Only collect data your device actually needs, store it in an encrypted database or the device’s native keychain and closely monitor how your application collects or caches data to overcome this.
5. Poor Authentication and Authorization
Offline access is required as mobile devices dip in and out of connectivity, resulting in many apps implementing shoddy authorization and authentication protocols, which leaves admin accounts open to unauthorized access. Contextual information can help as part of multi-factor authorization alongside the use of an encrypted database or the device’s native keychain, and offerings such as the Microsoft Access Control Service, for example, give mobile developers a simple method to authorize and authenticate users. More simply, if you app doesn’t need offline access, then disable it.
6. Broken Cryptography
Cryptographic protocols must be up-to-date to protect any sensitive information stored on the device or in your app. This protects users from data theft and privacy violations, and your app from code theft or reverse engineering. Sensitive data must be stored using the native keychain and encryption keys must be stored separately from encrypted data.
7. Client-Side Injection
Android apps are particularly at risk here as they run and are downloaded completely on the client side. Injection attacks, for example, could let an attacker gain unauthorized access to administrative accounts and sensitive data. White-box testing techniques, data validation and data encoding could all help prevent client-side injection.
8. Security Decisions via Untrusted Inputs
If you app connects to third parties without user permission, which is a process known as IPC (Inter-Process Communication), your app is wide open to a huge range of attacks including injection vulnerabilities and security models being bypassed to access sensitive data. All information sent to an outside party must be validated and encoded on the server-side to prevent this and IPC methods should be avoided for sensitive data transfers.
9. Improper Session Handling
If an app doesn't use secure protocols or fails to log a user out properly, your data is vulnerable. Preventative measures include secure session tokens, logging users out of the app after a period of inactivity, not using a device’s ID as a session token and allowing tokens to be quickly revoked should a device be lost or stolen.
10. Lack of Binary Protections
Binary protections prevent reverse engineering, where attackers could modify your app, to disable it, add certain functionalities or grab sensitive data stored in the syntax. Debugger detection controls, jailbreak detection and certificate pinning can all help prevent this.
Whatever stage your app is at, it's important to realize that security must play a part in your mobile application’s development. Organizations that fail to take a security pit stop to recognize and mitigate these risks could very well crash and