Why Are Mobile Apps So Insecure?

Mobile security is at the top of many companies’ concerns these days – and it’s not surprising why:

Everyone uses mobile apps. So do your employees. Unfortunately, way too many apps have vulnerabilities and flaws that can potentially put data on the phone at risk (as well as the server-side applications and data).

A report by Ponemon found the average cost of a data breach is $3.86 million. This can be an expensive hit to organizations of all sizes (larger organizations frequently have exposures greater than this).

So what are mobile apps most commonly vulnerable to?

Top 9 Vulnerabilities Of Mobile Apps

Here are the top 9 most common vulnerabilities of mobile apps that you should be aware of:

1. Insecure Server-Side Controls

All mobile apps interact with online/remote services. One of the most common mistakes developers make is to trust their own application data. They think that calls to the back end services from the phone are safe and trusted. This is not true.

Attackers have complete access to their own mobile devices and application data. So protecting the mobile app in this advance world is very important and with API integration this risk increases more, so you need to try Appknox’s API security testing tool and it will reduce the change of apps getting hack.

What does that mean?

That attackers can input malicious data into the mobile application and potentially gain access to backend API services or sensitive controls of the mobile app.

What leads to insecure server-side controls?

There are several root causes including:

  • Insufficient security budget
  • Rush to market
  • Lack of security knowledge
  • Prioritizing easy access to frameworks instead of security
  • Assuming that the mobile OS is completely responsible for maintaining security

To protect your mobile app from attacks due to insecure server-side controls, never trust inputs to a backend API service, even if they come from your application.

Why?

Attackers can easily communicate with the backend and craft malicious data. All data and requests coming from the mobile device should be treated as untrusted, must be validated, and must be sanitized.

2. Insecure Data Storage

Often, developers assume that malware or users will not have access to the sensitive data stored on the client-side or a mobile device’s file system.

However, file systems on mobile devices are not always trusted. Methods such as jailbreaking or rooting the mobile device can circumvent encryption protections. Also, depending on how data is stored and how that storage is configured, it may be exposed.

Many attacks may originate as a result of insecure data storage, including identity theft, unavailability of data, policy violation (e.g., PCI), loss of data, and in some cases, ransomware attacks.

Valuable data stored on a mobile application can include usernames, passwords, authentication tokens, session IDs, cookies, personal information of the user, debug information, cached data, etc.

To protect your app, avoid storing sensitive data on the phone.

Further, if client-side data storage is required, ensure the data is encrypted using an encryption key that is securely derived from the user’s login credentials. This helps ensure that data stored can only be accessed upon successfully entering the correct credentials.

3. Insufficient Transport Layer Protection

Typically, when a mobile app is created, the app communicates with a server-side application. For example, a bank mobile application will communicate with an application at the bank that processes transactions, receives check images, etc. When this data is exchanged, it will go over a network.

Is it secure?

If the mobile app is designed poorly, attackers could use techniques to view sensitive data while it is traversing in the network. This sensitive data could be passwords, social security numbers, credit card details, and more.

Communication from the app to the server-side app MUST be over TLS (Transport Layer Security). Additionally, the app should pin the certificate to ensure that no one is attempting to intercept and “man-in-the-middle” your communications to the server.

Basically, pinning ensures the mobile app is talking to the correct server application. Additionally, your server applications must be configured to only use the strongest encryption algorithms, protocols, key lengths, and modes of encryption.

4. Poor Authentication And Authorization

Authentication and authorization are two primary security controls that help organizations protect their data and systems.

Weak authentication and authorization can allow an attacker to execute functions within the mobile app that cause data leakage, security breaches, or other severe cyberattacks.

Most mobile apps utilize a single mobile identifier, so that once a mobile device has been registered and authenticated with the back end, the application assumes it doesn’t have to re-authenticate as it is already a trusted device.

However, these identifiers can sometimes be discovered and used to have the attacker perform acts in the name of the victim whose identifier has been exposed.

How can you prevent attacks due to poor authentication and authorization?

You need to find these issues before the attacker does. Utilize security experts to make sure you have strong authentication and authorization controls. This should be done for standard user privileges and is even more important for privileged users (admins).

You should also implement two-factor or multifactor authentication (2FA/MFA) wherein mobile users have to authenticate themselves with two modes of authentication (something you know [passwords], something you have [security tokens], something you are [biometrics]).

5. Unintended Data Leakage

Mobile apps often lead to unintended data leakage. Attackers leverage mobile apps with weak security controls or security vulnerabilities to gain access to users’ sensitive data such as their personal details, credit card information, social security numbers, passwords, etc.

A common example of unintended data leakage in mobile apps is when users grant access and broad permissions to “riskware” apps to access their data.

Riskware apps are legitimate apps that were not designed for malicious activities, but if exploited by attackers – to modify, edit, delete, copy, or distribute data – can disrupt the performance of the application.

Other than riskware apps, attackers could also mimic legitimate apps and once a user downloads the app, they can prompt the user for permission to access their data.

How can you avoid unintended data leakage?

Threat model your OS, frameworks, platforms, to see how they handle the following types of features:

  • Keyboard Press Caching
  • URL Caching
  • Application Backgrounding
  • Analytics sent to third-parties
  • Copy/Paste Buffer Caching

Monitor your default configuration and apply necessary mitigation controls to avoid unintended data leakage.

6. Client-Side Injection

Client-side injection is when data is inserted in the mobile app that leads to multiple types of injection attacks such as SQL injection, XML injection, javascript injection, command injection, etc.

Like regular data, malicious data is also processed by the mobile app’s underlying framework. Then, if the framework interprets the data as executable, the malicious code is executed. These inputs are frequently at the API layer communicating with the server-side application.

Typically, these malicious codes steal sensitive data such as session cookies, passwords, personally identifiable information, etc. Hence, a client-side injection attack could lead to identity theft, fraud, and privacy violations.

How can you prevent client-side injections?

When designing queries for SQL, make sure that data supplied by the user is passed to a parameterized query. Typically, malicious code often includes “%@” instead of an appropriate parameterized query specifier such as “?”.

To prevent XSS injection attacks, ensure that all UIWebView calls only execute validated input data. Apply filters for malicious characters, use a whitelisting process rather than blacklisting before rendering.

In short, validate and encode all untrusted data prior to using.

7. Broken Cryptography

Broken cryptography takes place when developers fail to implement strong encryption or use weak encryption algorithms.

In the first case, developers use insecure algorithms, which have shown significant security weaknesses or are not effective for modern security requirements. These include:

  • MD4
  • MD5
  • RC2

Alternatively, developers may use the same encryption key for all purposes, may not securely store the encryption keys, they may use insecure key lengths, re-use initialization vectors, etc.

There are many ways that cryptography can be broken. Have a security expert review your code to make sure that you are using encryption safely.

8. Security Decisions via Untrusted Inputs

Often, developers use hidden values and fields or hidden functionalities to differentiate between high-level users and low-level users. Hackers may intercept web service calls and tamper with these sensitive functionalities.

Poor or weak implementation of such hidden fields or functionalities can lead to improper app behavior, granting higher-level privileges to lower-level users or attackers. Attackers can bypass security mechanisms and gain access to users’ personal information and other confidential data on the application.

9. Improper Session Handling

To ensure a smoother workflow and ease-of-access for mobile device users, almost all apps use tokens, which enable users to perform multiple actions without re-authenticating their identity.

Secure apps generate new tokens with each session or access attempt and keep it confidential.

What is the impact of improper session handling?

Improper session handling can result in an adversary gaining access to the session tokens and impersonating the user by submitting the token to the backend server for transactions.

Often this occurs when the user has navigated away from the website or the app. Improper session handling could result in information theft, identity theft, fraud, or business interruption.

To protect your users and app from improper session handling attacks, ensure that you create, maintain, and destroy session tokens properly during the lifecycle of a user’s session.

Final Thoughts

Just like web application security, mobile app security is also crucial for businesses. The times when one could overlook the importance of mobile app security are far gone. In today’s highly interconnected world, attackers are constantly looking for ways to attack users and companies by exploiting vulnerabilities. Now that you know the top 9 threats to mobile apps, ensure that you develop a secure mobile application.

Aaron Cure
Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an instructor and contributing author for the Dev544 Secure Coding in .NET course.  After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.