10 Mobile Security Vulnerabilities and How to Address Them

 
 
By Chris Preimesberger  |  Posted 2016-05-18
 
 
 
 
 
 
 
 
 
  • Previous
    2 - 10 Mobile Security Vulnerabilities and How to Address Them
    Next

    10 Mobile Security Vulnerabilities and How to Address Them

    Developers need to be aware of the most prevalent mobile security vulnerabilities and the best ways to handle them.
  • Previous
    2 - Weak Server-Side Controls
    Next

    Weak Server-Side Controls

    API services on the Web are accessible even without the mobile app for which they were created. Hackers can sniff out the wireless network or perform a man-in-the-middle attack to discover the API calls being made in order to modify them and attack the API directly. How to address it: Secure coding and configuration practices must be used on the server side of the mobile application; specifically, the API should securely verify the identity and permission of the caller.
  • Previous
    3 - Insecure Data Storage
    Next

    Insecure Data Storage

    Development teams assume that users or malware will not have access to the file system of the mobile device where sensitive information is stored. How to address it: If possible, do not store any sensitive data on the device or inside the mobile source code, and if the business requirements call for storing sensitive information on the mobile device, then use encryption above and beyond what is offered by the mobile OS.
  • Previous
    4 - Insufficient Transport Layer Protection
    Next

    Insufficient Transport Layer Protection

    It's a common misconception that if you use SSL/TLS in your mobile app, then it is secure. How to address: Use certificate pinning or HTTP public key pinning (HPKP) to prevent man-in-the-middle attacks or two-way authentication to gain non-repudiation and authentication capability of both the server and client. Make sure that all connections to your servers are encrypted (if applicable) using best practice configurations (i.e. currently TLS 1.2). Do not accept user-accepted certificates as authorities, and make sure your SSL certificates are up-to-date and signed by a trusted certificate authority.
  • Previous
    5 - Unintended Data Leakage
    Next

    Unintended Data Leakage

    The focus on protecting data often considers the typical mobile app use cases and attempts to protect data from that point-of-view. The truth is that there are a lot of other ways your data gets viewed, copied, cached, screen captured, backed-up and logged. How to address: Consider that a native mobile operating system often provides ways for users to copy/paste data, take screen captures, create mobile data backups, use custom keyboards and collect analytics with third-party apps. Consider the data and risk presented by these scenarios and determine if it is acceptable in your mobile app. If not, then you must explicitly prevent these capabilities from within the mobile application or through control of the device with a mobile-device management or mobile-application management (MDM or MAM) solution.
  • Previous
    6 - Poor Authentication and Authorization
    Next

    Poor Authentication and Authorization

    Even if a mobile app user authenticated once, his/her credentials could easily be stolen from an insecure wireless network. Never assume that just because a user has been authenticated that he/she is automatically authorized to do anything at any time. How to address: Authenticate and re-authenticate users periodically, and before any sensitive action is performed. Authorize every request every time.
  • Previous
    7 - Broken Cryptography
    Next

    Broken Cryptography

    The mobile app may implement or use an encryption/ decryption algorithm that is weak in nature and can be directly decrypted by the adversary because the implementation architected by the developers is fundamentally flawed or there are poor key management processes. How to address: Ensure that your crypto implementations are reviewed by knowledgeable security professionals.
  • Previous
    8 - Client-Side Injection
    Next

    Client-Side Injection

    A common misconception is that a mobile app cannot be modified by malware (for example, libraries replaced or code injected into the app by malware). How to address: Harden the app to protect against tampering both statically and at runtime. Perform input validation in the app and the APIs, perform integrity checks on sensitive information, and be careful how you use WebViews because they can result in vulnerabilities such as Cross-Site Scripting (XSS).
  • Previous
    9 - Security Decisions via Untrusted Inputs
    Next

    Security Decisions via Untrusted Inputs

    Hidden fields, IPC (inter-process communications) calls and Web service calls cannot be trusted, since all of these can be easily manipulated with the right tool. How to address: Never assume these sources of data can be trusted and properly protect them against tampering and abuse, including implementing authentication, authorization, integrity checks, encryption or other mechanisms.
  • Previous
    10 - Improper Session Handling
    Next

    Improper Session Handling

    Attackers can use session credentials to authenticate to the back-end service and perform actions as a particular user. How to address: Implement a timeout mechanism for the session cookie on both the server and the client. Generally, the recommendation is for one hour or less. Ensure that your server establishes a new session for each user every time authentication is required. Make sure that old sessions are destroyed/invalidated on the server to prevent reuse.
  • Previous
    11 - Lack of Binary Protections
    Next

    Lack of Binary Protections

    Your mobile app can be at risk of being reverse-engineered, analyzed or tampered with. How to address: Protection varies by threat and mobile platform, but you will want to make sure that your application is protected at runtime against analysis, monitoring and code injection, and that the source code is encrypted and obfuscated. Integrity checks can help prevent modification of resources and source code.
 

As businesses increasingly add mobility IT options in order to improve employee productivity and streamline internal processes to ultimately increase profitability, hackers are finding new ways to infiltrate and access sensitive information through these mobile apps. Gartner Research has predicted that by 2017, a full 75 percent of mobile security breaches will be the result of mobile application misconfigurations. That represents a large number of holes, a much higher number than most IT security experts ever anticipated. This is what can result when so many new mobile apps come into the market without being completely vetted for secure coding and configuration. As such, it's important that developers become aware of the most prevalent mobile security vulnerabilities and the best ways to address them on a daily basis. This eWEEK slide show includes industry perspective from Aaron Bryson, chief security architect and product security manager at enterprise mobility services provider Kony.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel