Cross-Site Request Forgery – All You Need to Know
Mobile app security is a moving target. The need for better functionalities and features along with rapid deployment of software updates often comes at the expense of mobile security.
One of the major concerns for mobile app development is the rising mobile app security risks, particularly to prevent data breaches.
According to a study, over 10,573 malicious mobile apps were blocked per day in 2018.
As technology advances, it has not only become easier to build and deploy apps, but also easy to crack a mobile application’s security as developers are still writing insecure code.
Some attackers might try to crack a mobile app to find out more about the special features and other information about your mobile application. Others might do it to breach backend services.
But how do you avoid such mobile security threats?
Let’s find out.
Top 7 Mobile App Security Risks and Ways to Mitigate Them
Here are the top mobile app security risks and ways to mitigate them:
1. Insecure Communication
In a common mobile app, data is typically exchanged in a client-server fashion. When the application transmits data, it traverses through the internet and the mobile device’s carrier network.
Attackers might exploit mobile security vulnerabilities to intercept sensitive information or user data while it is traversing across the network.
What are the threat agents that exist in insecure communication?
- Malware on your mobile device
- A malicious actor who shares your local network (monitored or compromised wifi)
- Carrier or network devices (proxies, cell towers, routers, etc.)
Mobile developers often use SSl/TLS only during authentication but not elsewhere. This leads to an inconsistent security layer which increases the risk of exposing sensitive data such as credentials, personal information, session IDs, and more to interception by attackers.
Having a SSL/TLS does not imply that the mobile application is entirely secure. You need to implement strong security protocols throughout the mobile application and its network.
How Can You Prevent Insecure Communication?
Only establish a secure connection after authenticating the identity of the endpoint server. While applying SSL/TLS to your mobile application, make sure you implement it on the transport channels that the mobile app will use to transverse sensitive data such as session tokens, credentials, etc.
Use strong, industry standard cipher suites with appropriate key lengths. Apart from this, also consider using certificates signed by a trusted CA provider and refrain from allowing self-signed certificates. You should also consider certificate pinning for sensitive applications.
Remember to account for third-parties like social networks as well by using their TLS versions when a mobile application runs a routine using webkit/browser.
Consider applying an additional layer of encryption to any sensitive data before it is even given to the SSL channel. If security vulnerabilities are found in the SSL implementation, the encryption layer will act as a secondary defense against attacks.
2. Lack of Input Validation
Input validation is the process of assessing input data to ensure that it is properly formed, preventing malformed data that might consist of harmful code or may trigger malfunction in the mobile app.
What is the impact of poor input validation in mobile apps?
Why is it a mobile security threat? Here’s why:
When the mobile application does not validate input properly, it puts the application at risk of exposure to attackers who might be able to inject malicious data input and gain access to sensitive data in the app or breach backend data stores.
Ideally, input validation should occur instantly after the data is received from an external system. This includes data from third-party vendors, partners, regulators, or suppliers, each of which could be compromised to deliver malformed data.
While input validation is not sufficient to be used as a primary defense against preventing mobile app security risks, it is a significant way to filter out malicious data if implemented properly.
How Can You Prevent Weak Input Validation?
You can implement input validation by using programming techniques that facilitate the effective enforcement of data correctness such as:
- Minimum and maximum value range check for dates and numerical parameters along with length check of strings
- Input validation against XML Schema and JSON Scheme
- Minimum and maximum value range check for strings, minimum and maximum length check for dates and numerical parameters.
- Regular expressions for any other structured data covering the entire input string (^…$) and avoiding using “any character” wildcard (e.g. as . or \S)
- Array of permitted values for small sets of string parameters (e.g. hours of days)
Alternatively, a more efficient way to prevent attacks caused by poor input validation is to only allow known good rather than only rejecting known bad. This can set up much more stringent controls if done properly.
If the input data is structured like social security numbers, dates, email addresses, zip codes, etc, then the mobile app developer should be able to build and implement a strong input data validation pattern on the basis of regular expressions.
However, if the input data comes in a fixed set of options, such as radio buttons or drop down list, then the input data should match exactly as one of the options available to the user from the mobile application.
3. Insecure Data Storage
Insecure data storage can occur in many different places within your mobile app such as binary data stores, SQL databases, cookies stores, and more. The vulnerability in using an insecure data storage is if you use one, it could be compromised due to issues with jailbroken devices, frameworks, or other attacks.
Attackers can easily circumvent the security protocols of a mobile app if not implemented correctly, such as poor encryption libraries that can be bypassed by jailbreaking or rooting the mobile device.
If an attacker gains access to a database or device, they can modify the legitimate app to extract information to their systems.
What is the impact of insecure data storage?
Are Automated Scans Enough to Detect All Security Problems in an Application?
- Insecure data storage may result in the following:
- Intellectual property (IP) loss
- Identity theft
- Privacy violations
- Reputation damage
Many times, insecure data storage also occurs due to a lack of processes to handle the cache of key presses, images, and data.
How Can You Prevent Insecure Data Storage?
Avoid the “MODE WORLD READABLE” or “MODE WORLD WRITABLE” modes for IPC files as they do not offer the ability to control data format or limit data access to specific applications.
However, if you want to share data with other app processes, consider using a content provider which provides specific read and write permissions to other apps with dynamic permission access on a case-by-case basis.
Also, consider encrypting local files that contain sensitive data using the security library. Further, reduce the number of permissions that your app requests. By limiting access to sensitive data permissions, you can significantly reduce the risk of exploitation of those permissions, making your mobile app much less vulnerable to attackers.
When it comes to iOS, it provides secure storage APIs which enables mobile app developers to use cryptographic hardware available on every iOS device. Developers can also utilize the iOS data security APIs to work with fine grained access control for user data stored in flash memory.
4. Client Code Security
Code security issues are quite common in mobile apps.
Many of these issues can take extensive time to detect using manual code reviews, you can leverage automated, third-party tools to perform fuzzing or static analysis. These tools can identify injection issues, insecure data storage, weak encryption, and other security issues.
However, automated tools are not sufficient on their own, you still need manual review to find security threats where automation fails.
How Can You Prevent Poor Code Quality Issues?
Maintain consistent secure coding practices that do not lead to vulnerable code. When using buffers, make sure you validate that the length of the incoming buffer data does not exceed the length of the target buffer.
Use automation to detect memory leaks and buffer overflows via third-party static analysis tools. Also ensure that you prioritize solving issues like memory leaks and buffer overflows over other code quality issues as they tend to give rise to more mobile security risks and can be easily exploited.
Use a security company that specializes in static analysis to review your code and identify these security threats and vulnerabilities.
5. Insufficient Authentication and Authorization Controls
Missing or poor authentication schemes allow attackers to anonymously execute functionalities within the mobile application or the backend server used by the app.
Authentication requirements in mobile apps can be different from traditional web applications, in the terms that in mobile apps, users are not needed to be online at all times during their session.
It’s possible that mobile apps may have uptime requirements that need offline authentication. This method of offline authenticating a user’s identity can pose security risks that developers should consider while implementing authentication schemes.
Similarly, poor authorization can also impact the security of a mobile app depending on the nature of high-privileges breached to attack a mobile user. For instance, if an attacker is able to execute high-privilege actions, such as those of administrators, it may result in data theft, modification, or complete compromise of backend services.
How Can You Prevent Poor Authentication and Authorization?
There are several ways you can implement proper authentication and authorization for increased mobile security:
- Ensure that authentication requests are performed on the server side. Upon successful authentication, the data should be loaded into the mobile device. This will ensure that data is only loaded after successful authentication.
- If client-side data storage is required, use encryption to protect your data and securely derive from the user’s credentials.
- To implement strong authorization schemes, verify the roles and permissions of authenticated users using only data contained in backend systems.
- Use multi-factor authentication to validate a user’s identity. You can use one-time passwords, security questions, etc.
6. Poor Encryption
Encryption is the process of converting data into an encrypted form that is only readable after it has been translated back using a secret decryption key. If devices and data are not encrypted properly, then attackers can much more readily access the data.
What is the impact of poor encryption?
Simply, poor encryption can lead to data loss and all of the repercussions that follow from that loss of information.
Where do developers screw up encryption?
Many times, developers implement strong encryption, however if the keys are not properly handled, even the best encryption algorithms can fail. For instance, including the keys in insecure databases or files that are easily readable by other users.
This is one of the most common failures we see. Attackers don’t try to break the encryption algorithm, that’s too hard; they go after the keys. Unfortunately, insecure key management is a huge issue.
Another way mobile developers mishandle encryption is by creating and using custom encryption algorithms or protocols. Often these encryption algorithms are not as secure as other modern algorithms available in the security community. Additionally, using weak or insecure encryption algorithms such as RC2, MD5, MD4, and SHA1 can also lead to attacks.
How Can You Prevent Poor Encryption Algorithms?
Make sure you implement modern encryption algorithms that are accepted as strong by the security community. Use the encryption APIs available within your mobile platform.
Consider implementing encryption in layers so that even if the attacker gets the decryption key to decrypt one layer, there’s another two layers of encryption they need to break into. Also, make sure you store encryption keys securely. This is critical.
7. Reverse Engineering
If an attacker can read your code, they can find better ways to attack your application.
Reverse engineering can be used to determine how the app functions on the back end, modify the source code, expose encryption algorithms in place, and more. So the code you developed for your mobile app can be used against you and pose severe security risks.
How Can You Prevent Reverse Engineering?
An effective way of preventing mobile apps from reverse engineering is to limit the capabilities client side and expose more functionality through web services server side. Once functionality is limited to the bare minimum needed, then you obfuscate that code base using commercial obfuscators.
Also, avoid storing API keys in shared resource folders, assets, or anywhere else that’s easily accessible by an outsider. Use either public/private key exchange or NDK to protect your mobile app’s API key.
It is not possible to learn about all of the mobile app security risks that exist. But with the help of the above information about the most common mobile app security risks, you can secure your mobile apps from the biggest security threats.
For more information about mobile app security, you can reach out to us and our security experts can help you build a secure mobile app.
C#/.NET/Core Training in Denver, CO – May 2019