OWASP Top 10 Mobile Vulnerabilities Developers Need to Understand

With the growing number of mobile apps, it’s imperative that mobile developers stay vigilant about security vulnerabilities and have the know-how to mitigate them. With the OWASP mobile top 10 vulnerabilities, developers can learn how to maintain the security of their mobile apps to protect them from cyberattacks.

Open Web Application Security Project (OWASP) is a community-based foundation that focuses on spreading awareness about software and application security. OWASP organizes several leading training and education programs in the field of cybersecurity as well.

Let’s take a closer look at the OWASP top 10 mobile app vulnerabilities.

Which Are the OWASP Top 10 Mobile App Vulnerabilities?

Understanding these security vulnerabilities will help you assess your mobile app better and maintain strong security to protect your data and users.

Here are the OWASP top 10 mobile vulnerabilities that you should be aware of:

1. Weak Server-Side Controls

Weak server-side controls include virtually everything that a mobile app can do poorly which doesn’t occur on the mobile device.

Then why is it in the list of OWASP top mobile vulnerabilities?

Because of the fact that most mobile apps also rely on a connection with the server, that makes them comparable to traditional client/server applications. However, that’s not the issue.

The problem is that mobile developers often do not consider traditional server-side security concerns.

In addition to this, while the majority of the security threats are fairly similar to those of web applications, an attacker’s ability to handle and gain control of a mobile device is quite different from what it is on the web.

There are various reasons that lead to server-side control issues:

  • Lack of security knowledge and implementation
  • Frequent updates and rush to market
  • Using easy to work with frameworks which do not prioritize security
  • Assuming the mobile operating system takes complete responsibility for the security for mobile apps
  • Inefficient cross-platform integration and development

How to Prevent Weak Server-Side Controls

The first and most important step to prevent weak server-side controls is to scan your mobile apps. This will help you get an overview of your mobile app’s security and identify security vulnerabilities that you may have overlooked while developing the app.

It’s recommended that you should use automated scanning tools to scan your mobile app, however, often these tools report false positives and negatives. That’s when you need human intervention. This is where it is best to hire a security expert.

Manually assessing the mobile app for security vulnerabilities will help you detect issues that may have gone undetected by automation.

In addition to this, you need to follow a secure coding development life cycle (SDLC) which includes secure coding standards and practices for developers. While it may take longer to implement secure coding practices, it helps reduce security vulnerabilities significantly.

2. Insecure Data Storage

Let’s check out the next OWASP mobile app vulnerability.

We all know storing personal or sensitive data such as credit card numbers or passwords requires a secure mechanism. Typically, developers use files and databases to store data on the client-side in mobile apps assuming that will restrict users from accessing the data.

However, recent trends show that most mobile application security breaches have been caused due to unnecessary or insecure client-data storage.

How can attackers leverage insecure data storage?

Attackers can easily root or jailbreak the mobile device and circumvent the security of mobile apps. Another way they can hack into a mobile application is if they physically attain the mobile device and connect it with a computer with freely available software.

These apps enable the attacker to see all third-party application directories which often contain stored data such as the sensitive information of users or the organization. Then an attacker can modify the legitimate mobile app to steal or delete critical data.

This could lead to several business problems such as:

  • Identity or credential theft
  • Fraud
  • Market reputation damage
  • Poor customer relationships

How to Prevent Insecure Data Storage

It is recommended to not store data in mobile apps unless absolutely necessary. For instance, never store user credentials on the phone’s file system. Prompt the user to authenticate using an API or standard web login scheme whenever they try to access the app.

When caching or storing information is necessary, consider using a standard encryption library such as CryptoKit in iOS. However, for especially sensitive apps, use white-box cryptography solutions that help prevent binary signature leakage which is commonly found in common encryption libraries.

For local storage in an android app, use the enterprise android device administration API to implement encryption of all local file-stores using “setStorageEncryption”. You should securely store encryption/decryption keys; never store in code or in configuration files.

3. Insufficient Transport Layer Protection

Insufficient transport layer protection is one of the OWASP top 10 mobile security vulnerabilities caused by mobile applications that do not protect their network traffic.

Basically, data can be exchanged between the client and the server side. If the mobile application is developed poorly, then attackers may leverage this security vulnerability and be able to view the sensitive data-in-transit.

While many developers integrate SSL/TLS certificates, they often fail to fully verify those certificates or fail to pin those certificates. This can lead to the network traffic being compromised.

How to Prevent Insufficient Transport Layer Protection

Fortunately, insufficient transport layer protection attacks are easy to prevent. Always consider that the network layer could be insecure and vulnerable to eavesdropping.

Employ TLS to transport layers that the mobile app uses to transmit session tokens or any other critical information to the web service or backend API.

Utilize certificates signed by trusted CA providers and pin those certificates that are known and trusted. Implement powerful, industry-standard cipher suites that have appropriate key lengths. Make sure you build a secure connection only after authenticating the endpoint server’s identity using trusted certificates in a keychain.

4. Unintended Data Leakage

When a developer inadvertently puts sensitive data in an insecure location on the mobile device, it could result in unintended data leakage.

Here’s why this OWASP mobile app vulnerability could be dangerous:

The insecure location could be accessible to other mobile apps running on the same device, thus leaving the mobile device vulnerable to attacks.

The code of the mobile app becomes susceptible to serious attacks since threat vectors can easily exploit these data leakage vulnerabilities. An attacker can simply add a small piece of code to access the location where the sensitive data is stored.

What are some common data leakage points?

Below are the most common leakage points that you should monitor:

  • Copy/paste buffer caching
  • Browser cookie objects
  • URL caching
  • Application backgrounding
  • Keyboard press caching
  • Data analytics shared with third-parties

How to Prevent Unintended Data Leakage

To prevent data leakage from caching mechanisms, set appropriate input types such as “password” types. This way, you can automatically block caching and prevent copying the content to the clipboard.

5. Poor Authorization and Authentication

Poor authorization and authentication is another major OWASP mobile app vulnerability.

Here’s how:

Poor or missing authentication schemes allow attackers to bypass authentication protocols and gain access to sensitive data in a mobile app. They do so by anonymously executing functionalities within the backend server or the mobile app.

Many mobile apps use a 4- or 6-digit PIN code for authentication. Performing a check on the client side is insecure as it would require the PIN code to be stored on the mobile device, which increases the risk of it being leaked.

Moreover, there are various mobile apps that do not expect users to be online at all times during their session. Since mobile internet connections aren’t as reliable as traditional web apps, mobile apps that require offline authentication to maintain uptime are more vulnerable to attacks.

Developers should be aware that these authentication methods can create security vulnerabilities in the mobile app. In their offline mode, mobile apps can allow users with fewer privileges to execute actions and gain unauthorized access to sensitive data.

While poor authentication and authorization are commonly prevalent in mobile apps and often go undetected, their technical and business impacts are severe.

How to Prevent Poor Authorization and Authentication

Security testers should perform attacks against the mobile app while it’s in offline mode to detect poor authentication and authorization schemes. They can force the app to bypass offline authentication protocols and try to execute functionalities that require authentication. Having a secure code review performed is also very helpful. Ideally, this should be done frequently throughout the SDLC.

Security testers can also try to execute privileged functionalities that require the authorization of a required level while the mobile app is still in the offline mode. Weak authorization will allow an adversary to successfully execute functionalities they are not authorized to execute.

Additionally, ensure that all authentication requests are performed on the server side. This will ensure that the app data is only loaded after successful authentication.

If client-side data storage is required, make sure the data is encrypted using an encryption key which is securely derived from the user’s login credentials along with a strong randomness source.

6. Broken Cryptography

Data security and cryptography go hand in hand. Insecure usage of cryptography or broken cryptography is one of the most common OWASP mobile vulnerabilities.

Mobile developers often implement encryption and decryption on the device with a hardcoded key in the source code which leaves data security and cryptography vulnerable to attackers that can reverse-engineer the mobile application.

How can attackers do reverse-engineering in mobile apps?

iOS applications are secured from reverse engineering by default using code encryption. The iOS security model requires the mobile application to be encrypted and signed by trustworthy sources to execute in a non-jailbroken environment.

When the app is started, the iOS app loader decrypts the mobile application in memory and executes the code after verifying the signature by iOS. In theory, this prevents an attacker from launching binary attacks against the mobile application.

However, the attacker can use tools such as GBD or ClutchMod to download an encrypted app on a jailbroken device and take a snapshot of the decrypted mobile app once the iOS loader decrypts it onto the memory. This could allow an attacker to exploit the mobile app.

Using custom encryption algorithms instead of modern ones that are accepted as strong by the security community is also a way to mishandle cryptography.

Many cryptographic protocols and algorithms have shown significant weakness or are insufficient in protecting mobile apps today. These include:

  • SHA1
  • RC2
  • MD5
  • MD4

How to Prevent Broken Cryptography

Avoid storing sensitive data on a mobile device unless necessary. Make sure you apply cryptographic standards that will withstand modern attacks. Also, follow the NIST guidelines on recommended cryptography algorithms.

7. Client-Side Injection

Attackers inject malicious code on the client side which is typically provided in the form of input data to the mobile application through various means. This OWASP mobile app vulnerability can be a big threat to your business.

Since the data is malformed, if the mobile application processes it (like any other data) and the underlying framework interprets the malformed data as executable, the code will be executed by the mobile app.

What happens when the code is executed by the mobile application?

The code might execute with privileged permissions with a greater scope of access leading to significant compromise.

Moreover, other forms of client-side injection involve the direct injection of binary code via binary attacks into the mobile application. Such an attack to execute malicious code may lead to even greater potential damage than input data injections.

How to Prevent Client-Side Injection

There are several ways to prevent client-side injection in mobile apps. Here are some best practices for both iOS and Android mobile apps:

iOS

  • Validate all untrusted data.
  • Use trusted encoders to sanitize untrusted input for things like XML injection, XSS, and command injection.
  • Use input validation and sanitization.
  • Make sure the input data supplied by the user is passed through a parameterized query when designing SQLite queries.
  • Ensure that all UIWebViews calls do not execute unless appropriate input validation.

Android

  • Validate all untrusted data.
  • Make sure you use parameterized queries whenever you are accessing the database with input parameters.
  • Verify that the Plugin support and JavaScript are disabled for WebViews.
  • Verify data and actions are validated through an Intent Filter.

8. Security Decisions Via Untrusted Inputs

Mobile developers often use hidden values, files, or other hidden functionalities to distinguish between high-level users from low-level users.

If an attacker can intercept the IPC (Inter-Process Communication) or web service calls and tamper with such sensitive information, they can gain unauthorized access to the mobile app.

Poor implementation of such hidden functionalities could lead to improper behavior of the mobile application and it might also grant unauthorized access and grant higher privilege permissions to an attacker.

This could lead to bypassing the security mechanisms of the mobile application leading to loss of integrity and confidentiality. At the same time, this OWASP mobile app vulnerability could impact your business’ reputation and hamper its ability to build trust among customers.

How to Prevent Untrusted Inputs

Security protocols such as input validation, authorization controls, authentication mechanisms, canonicalization, and output escaping should be carefully examined to ensure best security practices are implemented.

Also, developers should exercise extra caution while accepting and validating URL schemes.

For iOS specifically, avoid using the deprecated handleOpenURL method to manage URL Scheme calls. Rather use a whitelist containing trustworthy applications.

9. Improper Session Handling

Often mobile developers allow non-expiring or long user sessions to make the mobile app user friendly and easier to use. This helps reduce the time to purchase and checkout so that the company can generate more revenue. Moreover, reducing the logging in time reduces the friction for the users.

Mobile applications use OAUTH tokens, SSO services, and cookies for session management. To ensure proper session handling, the mobile application must authenticate the user via the backend and then issue a session cookie to the mobile app.

Improper session handling occurs when an attacker can gain access to a session token during a transaction between the mobile application and the backend servers.

What is the impact of this OWASP mobile app vulnerability?

An attacker who has access to the session tokens can impersonate a legitimate user and carry out sensitive transactions. In severe cases, an attacker might impersonate an administrative user and gain access to higher privileges, which is dangerous.

How to Prevent Improper Session Handling

To enable proper session handling, configure session timeouts in the Login Server connection to a value less than session timeout on the server-side. Do not use poorly generated or easily guessed session tokens. A session token should have high entropy and should be unpredictable.

Also ensure that the mobile app code creates, maintains, and deletes the session tokens properly over the course of a user’s mobile app session.

10. Lack of Binary Protection

Lack of binary protection is another serious OWASP mobile app vulnerability.

It can expose the mobile app’s sensitive data such as intellectual property, credentials, etc. to the attackers. Using reverse engineering, attackers can discover such sensitive information as business logic, passwords, API keys, etc.

An attacker may use automated tools to reverse engineer an app and modify it to perform malicious actions.

If you are hosting the code of the mobile app in an untrustworthy environment, such as an attacker’s phone, there’s a possibility that your app could be exploited by attackers.

How to Prevent Lack of Binary Protection

Sure, lack of binary protection is one of the worst vulnerabilities in the list of OWASP top mobile vulnerabilities. But there is a way to prevent it.

One of the most effective ways to prevent a lack of binary protection is to store sensitive business logic and API keys on the server. Furthermore, don’t store passwords in the mobile app’s binary.

Use commercial obfuscators to make it difficult for an attacker to reverse engineer your code!

Make sure that the mobile apps don’t write sensitive information on the log files since these files can be monitored as well. If you intend to store sensitive data, ensure it is stored in an encrypted file system or database.

The mobile app should also follow secure coding techniques for the following security components:

  • Debugger detection controls
  • Certificate pinning controls
  • Checksum controls
  • Jailbreak detection controls

The mobile application must be able to detect modifications in the code during runtime and should be able to react appropriately to ensure code integrity compliance.

Takeaways

Preventing cyberattacks and maintaining data security in mobile applications is crucial for mobile app developers.

Don’t hesitate to implement the best practices mentioned above to improve your mobile security. Take extra precautions and make sure your mobile app’s data integrity and confidentiality are protected.

Now that you have proper information about the mobile OWASP top 10 mobile app security vulnerabilities and ways to prevent them, you can build a secure mobile application for your users.

To learn more about how you can secure your mobile data, reach out to us at info@cypressdatadefense.com and our security experts will help you build a secure mobile app.

About

Cypress Data Defense was founded in 2013 and is headquartered in Denver, Colorado with offices across the United States. Our goal is to help organizations secure their IT development and operations using a pragmatic, risk-based approach. The diverse background of our founders allows us to apply security controls to governance, networks, and applications across the enterprise.

Latest Posts

How to Integrate Security Into a DevOps Cycle

However, DevOps processes aren't restricted to…

Secure SDLC and Best Practices for Outsourcing

A secure software development life cycle (SDLC…

10 Best Practices for Application Security in the Cloud

According to Gartner, the global cloud market will…

Contact

Cypress Data Defense

PO Box 745224

Arvada, CO 80006


PH: 720.588.8133

FX: 720.388.1016


Email: info@cypressdatadefense.com


Social

© Cypress Data Defense, LLC | 2018 - All Rights Reserved