App security: great power comes with great responsibility
App security: when it becomes so important?
Services access using newest ways of communication, internet network in particular, changes the everyday lives of both consumers and entrepreneurs. To remain competitive, it is no longer enough to offer a good service or product, but you must also provide easy access to it for potential users. Even a loyal customer can move to the competition when it offers a more attractive service model. These modern communication channels, apart from the obvious chance, also carry threats unknown in previous decades. In this article we will discuss just one of the categories of the above threats in the context of mobile applications.
Server shutdown. Full penetration of the system by personal data thieves. Using the gap to withdraw funds. Finding yourself on the list of entities whose programs are not secure, which is why they are not recommended for use by consumers. These are just some of the many threats directly threatening the investor and indirectly – users.
OWASP to rule them all
The OWASP organization deals, among others, with the topic of mobile application security. The accounts of the OWASP Mobile Security project distinguished 10 main channels of violation of the integrity of programs of this type, which can lead to data exposure that should remain confidential or other forms of security risk.
10. No binary security
In a situation where the program has no binary security (and therefore defensive mechanisms to make it difficult for the attacker to read the source code), the system is exposed to a reverse engineering process, which, potentially, will provide it with all information about the system, including hints on how to communicate with the server and enforce specific actions on it (e.g. withdrawing money into a specific account).
9. Incorrect session handling
Incorrect session handling leads to a situation where the attacker is able to use user credentials and impersonate him. In this way he can make further abuses or use the account unauthorized.
8. Making decisions important for the system based on untrusted input data
An example of a situation where important decisions are made on the basis of untrusted data is a situation where we allow the risk of the user authorization data being taken over by another program installed on the device. Such a program can use the above. authorization data for illegal operations on the user’s account.
7. The ability to launch an injection attack on the application side
Injection attacks are potentially very dangerous. They consist (among others) in transferring the application of a specific sub-program for launch and execution. Such a program can basically anything, it is limited only by the patience and experience of the attacker. Data leakage, server attack, unauthorized withdrawals, account deletion, forwarding of correspondence to a specific address? Or maybe everything?
6. Improper operation and use of cryptography
The use of cryptography as one of the forms of securing information systems is highly desirable behavior. Unfortunately, as in many other situations, in this case, improperly used safeguards are useless. Despite the seemingly correct implementation, the attacker is able to access readable text entries. The result may be a situation when instead of slightly difficult access (through the use of standard forms of obfuscation of the code), the attacker has its task facilitated (due to non-working cryptography, and thus, increased data exposure)
5. Insufficient authorization and authentication mechanism
The user authorization mechanism, i.e. a set of measures aimed at ensuring that only an authorized user uses his account in the manner provided by programmers is an important element of program security. Incorrect implementation may lead to unauthorized use of the account by unauthorized persons, or use by an authorized person in a manner not foreseen by the owner of the application. Such actions may even lead to server damage or exposing the owner of the application to unforeseen costs (e.g. additional fee for using Google services or Amazon Web Service)
4. Unintentional data leakage
An unintentional data leak is a situation when due to incorrect design of the program originally unauthorized persons receive legal access to specific data. In extreme situations, this way you can share our user’s login details with other applications. This situation, unfortunately, happens much more often than would be expected. According to researchers, this is due to the unreflective use of tools contrary to their original purpose – e.g. temporary data storage (which is not secured in any way) to store the user’s password.
3. Insufficient communication protection
The transport layer, or communication layer, is a part of the operating system and program responsible for network traffic (and thus the exchange of data with other devices, including the server). Its exposure occurs when the data transmitted to a specific (correct) recipient is readable by bystanders, such as listening programs.
In this way, the attacker can obtain key information about system access and use it for Man in the Middle attacks. A way to avoid this very serious threat is to cover the transmitted data with appropriate encryption and skilful use of TLS authorization certificates, with particular emphasis on the technique known as Certificate Pinning, which makes only a specific recipient can read the data contained in the transmitted packet.
2. Unsecured data warehouse
This is a very serious problem encountered when confidential data used by the mobile application is stored in plain text (or other easily readable) in an unsecured place. Potential consequences include identity theft, fraud or scandal leading to loss of reputation. Access to the aforementioned warehouse is possible through physical access to the device (e.g. a stolen telephone), but also by using malware.
1. Poor server-side control
The last and most serious category of mobile application security breaches: poor server-side control. It contains extremely severe, serious server-side implementation errors that can have significant business implications. This applies to any security vulnerabilities that occur in web services, web server configurations, and traditional Internet applications. Classification as the biggest threat to mobile applications on the server side shows how important holistic approach is to ensure that each component is properly secured, according to the principle that the system is as strong as its weakest link.
Why so?
The last decade has brought about an extraordinary spread of modern smartphones, which in fact introduced the telecommunications revolution into the next phase. At that time, programs launched on mobile devices went from simple data displays to service centers for complex systems.
Many aspects of economic, technical and human nature had consequences in the form of a relatively low level of security for a standard mobile application, with exposure of users and the entire system to which this application gives access.
Knowledge of potential problems is the first step towards their elimination, and thus leading to a state in which the company, its data and reputation are safe. I don’t think anyone wants to have their own Cambridge Analitica?
Do you need a secure application? Contact us.
