…or the most common mobile application security issues.

The proliferation of mobile devices, apps (applications), and the operating system have created increased opportunities for innovation in the mobile ecosystem, with user convenience top-of-mind. New opportunities, however, have created new issues, that if not mitigated, can increase the mobile attack surface, as well as lead to the compromise of personal, sensitive, proprietary and classified information on mobile devices.

Mobile apps store and transmit, not just general user information, but also confidential and sensitive information—such as financial and transactional data on a customer-facing mobile banking or payment app—that can be used in identity theft and fraud scenarios.

Mobile security risks are on the rise in 2019, as the number of mobile threats grows, so does the need for more mobile security. According to Verizon enterprise report, 33% of companies admitted to having suffered a compromise involving a mobile device, and 67% of organizations said they are less confident of their security than their other IT assets.

Potential mobile application security issues are:

1. World-Writable Files

Creating world-writable files is a security issue as it could allow other apps to have write access to files, leading to potential security gaps

2. Broken SSL Check / Sensitive Data in a Transit

Lack of proper certificate validation could result in sensitive data being intercepted via a man-in-the-middle attack. Conversely, all tested apps running on iOS OS performed proper certificate validation or hostname verification.

3. Writable Executables

A writable executable file is not a vulnerability all by itself, but in combination with another issue, could lead to additional app vulnerabilities and make the app susceptible to remote code execution.

4. Reverse-engineering

All mobile app code is susceptible to reverse engineering. Code written in languages/frameworks that allow for dynamic introspection at runtime (Java, .NET, Objective C, Swift) is particularly at risk for reverse engineering. An attacker may exploit reverse engineering to achieve any of the following:

  • Reveal information about back end servers;
  • Reveal cryptographic constants and ciphers;
  • Steal intellectual property;
  • Perform attacks against back end systems; or
  • Gain intelligence needed to perform subsequent code modification.

5. Insecure Authorization and Authentication

Inadequate or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. Threat agents that exploit authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools.

6. Dynamic Code Loading

This mechanism allows the app developer to specify which components of the app should not be loaded by default when the app is started. Typically, core components and additional dependencies are loaded natively at runtime; however, dynamically loaded components are only loaded as requested.

7. Cookie “HttpOnly”

When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is essential security protection for session cookies and can help prevent attacks like XSS (cross-site scripting), as the cookie cannot be accessed via client-side (for example, using a JavaScriptTM snippet code).

8. Broken cryptography

Broken cryptography attacks come into the picture when an app developer wants to take advantage of encryption in his application. In order to exploit this weakness, an adversary must successfully return encrypted code or sensitive data to its original unencrypted form due to weak encryption algorithms or flaws within the encryption process.

9. Transport Layer Security Traffic with Sensitive Data

80% of tested apps running on iOS OS had sensitive values intercepted while proxying SSL and Transport Layer Security (TLS) app communications, such as Username, Password, GPS coordinates, Wi-Fi Mac (Media Access Control) Address, IMEI (International Mobile Equipment Identity), Serial Number, and Phone Number. Sending sensitive data without certificate pinning creates higher risk as an attacker with network privileges, or who have compromised TLS, is better positioned to intercept data.

10. Information leakage

In the current android architecture design, apps are restricted from accessing resources or other apps unless it is authorized by the users. Users have to grant all resource access requests before installing and using an app. Information leakage occurs when users allow resources without any restriction from OS. However, the OS permission control mechanism has been proven ineffective in protecting user privacy and resource from malicious apps. With more than 1.4 million available apps in Google Play and a significant number of apps from diverse third-party markets, a considerable amount of malicious apps have been exposed to users for installation.

mobile development security issues
Photo by Sebastian Herrmann on Unsplash

11. Privilege escalation

Privilege escalation or permission escalation attacks were leveraged by exploiting publicly available kernel vulnerabilities to gain elevated access to resources that are normally protected from an application or user. This type of attack can result in unauthorized actions from applications with more privileges than intended, which causes many sensitive information leakages.

12. Repackaging Apps

Repackaging is one of the most critical and common security issues of mobile OS. Repackaging is the process of disassembling/decompiling of .apk files using reverse-engineering techniques and adding (injecting) malicious code into the main source code. Repackaging techniques that can be used on the platform allow malicious code to be disguised as a regular app. It is difficult to distinguish between a repackaged malicious code and a consistent app because the repackaged app usually appears to function in the same way as the legitimate one.

13. Denial of Service (DoS) attack

The increasing number of smartphone users and the prevalence of mobile devices (phones, tablets) that are connected to the Internet can be a platform for the growth of DoS attacks. Since the majority of smartphones are not equipped with the same protections (i.e., anti-virus programs) as PCs, malicious apps find it as a proper platform for DoS attacks. Overusing limited CPU, memory, network bandwidth, and battery power are the main goals of DoS attacks.

14. Colluding

The colluding threat is a client-side attack. In this attack, users install a set of apps developed by the same developer and same certificate and grant different types of permissions, including sensitive and non-sensitive. After installing apps, these apps can take advantage of a shared UID and get access to all their permissions and resources.

15. Improper Session Handling

Improper Session Handling typically results in the same outcomes as weak authentication. Once you are authenticated and given a session, that session allows one access to the mobile application. Mobile app code must protect user sessions just as carefully as its authentication mechanism. Improper session handling results in an adversary that can impersonate another user and perform business functions on their behalf. This may result in Fraud; Information Theft; or Business Interruption.

Above, we have reviewed areas that may pose the greatest threat to a new or updated mobile application we have. To avoid hacker attacks, data abuse, and other damage from possible omissions, we’ll show you a developer checklist next time. If you have the resources to research vulnerabilities and security issues, and instead, you would like to focus on developing your application, try our testing tool.

App-Ray is a fast-paced development, and rapid delivery often results in potential flaws and vulnerabilities in your apps. We help you identify and remediate threats and vulnerabilities in applications your company builds or downloads from third parties.