Top Ten Mobile Application vulnerabilities are

  • Insecure Data Storage
  • Weak Server Side Control
  • Insufficient Transport Layer protection
  • Client Side Injection
  • Poor Authorization and Authentication
  • Improper Session Handling
  • Security Decisions via untrusted Inputs
  • Side Channel Leakage
  • Broken Cryptography
  • Sensitive Information Disclosure


Insecure Data Storage:

It occurs

  • when the developer assume that users wont access the file system and he will store the files in the external storage like sdcard, app memory. But, malicious users do rooting to the mobile and access the file from file system.
  • Saving the file permissions with the world_readable, world_writable.
  • Saving files in cache storage.


Impact:

  • confidentiality of data loss.
  • User credentials such as username, password disclosed.
  • Personal information.
  • Credit card info
  • cookies
  • application data
  • store application logs
  • transaction history.


We often see this information in

  • Sqlite databases
  • user log files
  • xml storage
  • cookie storage
  • sdcard, appmemory


Mitigation:

  • Never use file permissions with world_readable, world_writable.
  • Never store sensitive information on external storage.
  • If u wants store the information use strong key management.
  • Never store cache for long period of time.


Weak Server Side Control:

It applies to the backend services.

It occurs

1. Due to insecure backend API’s and platforms.


Impact:

 

  • Confidentiality of data lost.
  • Integrity of data not trusted.


Mitigation:

  • Always validate input
  • Don’t trust the client
  • Harden mobile app servers & services
  • Beware information disclosure
  • Understand host & network controls
  • Perform integrity checking regularly


Insufficient Transport Layer Protection:

It occurs, when the developer uses

  • Complete lack of encryption for transmitted data
  • Weakly encrypted data in transit
  • Strong encryption, but ignoring security warnings
  • Ignoring certificate validation errors
  • Falling back to plain text after failures


How impact it is:

  • Man-in-the middle attacks
  • Tampering data in transit
  • Confidentiality of data lost


Mitigation:

  • Ensure that all sensitive data leaving the device is encrypted
  • This includes data over carrier networks, WiFi, and even NFC
  • When security exceptions are thrown, DO NOT ignores them.


Client Side Injection:

it is most common attack.
It occurs

  • When the developer use raw queries, javascript enable and web views in the code.
  • An attacker sends the sql queries to the application and he will login to the application.
  • Cross-site Scripting(xss) cannot do in mobile native applications. It is possible in hybrid application.

Native apps: which are not interacting with internet.

Hybrid apps: which are interacting with internet.


How impact it is:

  • without credentials also user can login in to the application.
  • Imagine, if it is bank application how bad is it.


We often see this injection:


username field


Mitigation:

use prepared statements instead of raw queries.


Poor Authorization and Authentication:

it occurs
when the developer use the deviceid as the authentication to the application.
Many mobile applications are using this as authentication. An intruder can spoof the device id to access application.

Some other applications don’t validate the user credentials
if u keeps on pressing the login button it validate the user and login to that application.


How impact it is:

unauthorization access can do anything he want.

We often see this in the

code if they are using deviceid as authentication.
Buttons


Mitigation:

  • Don’t validate the user credentials in the client side. Always it has to be done in the server side.
  • Never use device id as the authentication.


Improper Session Handling:

It occurs, when using

  • Apps maintain sessions via HTTP cookies, OAuth tokens and SSO authentication services
  • using a device identifier as a session token


How Impact it is:

  • Privilege escalation
  • Unauthorized access


Mitigation:

  • Make users re-authenticate every so often
  • Ensure that tokens can be revoked quickly in the event of a lost/stolen device
  • Utilize high entropy, tested token generation resources


Security Decisions via untrusted inputs:

it occurs

  • When the developer bypasses the permissions. It means the application won’t ask permissions to access the user personal info.
  • Intent spoofing also comes into this one.

    Intents are two types’

    1.Implicit intents

    2.Explicit Intents

    Explicit intents always safe.

    Implicit intents can be spoof.


How impact it is:

  • user personal info access by the application.
  • No privacy.


Mitigation:

  • always ask for the user permission while installing.

Side Channel Leakage:

it occurs

  • wrote code such a way that application interacting with another application.
  • When the data leakage to the logging of sensitive information.
  • Sensitive info in cache.


How impact it is:

no privacy for user data.


Mitigation:

  • before releasing the application, ensure that never log credentials.
  • Don’t interact with another application.

Broken Cryptography:

it occurs

  • Uses the weak cryptography for storing the user credentials.


How impact it is:

an attacker can easily decrypt the message.


Mitigation:

Dont use the weak cryptography.

Sensitive Information Disclosure:

it occurs

  • When the developer uses the sensitive logic.
  • Secret keys

 

how impact it is:

application can easily reverse engineering and attacker can view the source code.


Mitigation:

  • secret keys should not be implement on client side. should be implement on server side.
  • Never use the hard code in the application.