As mobile applications continue to grow as an attack vector, organizations will need to prioritize mobile app security to fortify their overall security posture. Both static attacks based on the source code itself and dynamic attacks that exploit app functionality are constantly evolving. That’s why understanding and remediating the most common mobile app vulnerabilities is crucial for mobile development teams.
An important resource for identifying security vulnerabilities and implementing mobile security best-practices is the Open Web Application Security Project (OWASP). While OWASP is best known for publishing insights into security vulnerabilities within web applications, the foundation also has a mobile security project focused on the mobile app industry.
OWASP has published research into the top mobile security threats and best-practices for defending against them. Here’s a brief overview of their most recent top 10 mobile risks list, as well as an in-depth resource for how app developers can navigate them.
Improper platform usage occurs when developers fail to use certain system features correctly or at all, whether it’s on an Android, iOS, or Windows operating system. This can include a failure to use well-documented security guidelines or misuse of certain platform APIs.
Insecure data storage is a common issue that leads to data leakage. If developers fail to encrypt or securely store data, malicious actors could access sensitive personally identifiable information. This usually occurs when developers incorrectly assume users or malware cannot access certain device or system files.
Insecure communication occurs when transmissions over the public Internet or mobile carrier network expose sensitive data to attack. Most mobile apps leverage backend systems for data storage and resource-intensive functionality, but this creates an attack vector that may allow hackers to eavesdrop or intercept unsecured communications.
Insecure authentication allows hackers to fake or bypass identity management systems to access private data and sensitive app functionality. If app developers cannot properly verify the identity of users, they also cannot trace back any exploits to certain user accounts. Along with strong authentication during login, developers need to ensure that they’re continuously authenticating users throughout the entire session.
Insufficient cryptography means that developers have failed to implement security best-practices when using encryption. For example, hackers can exploit a weak encryption algorithm or poor encryption process to decrypt sensitive data. This includes not only private keys and passwords, but also the application code itself.
Insecure authorization occurs when hackers are able to bypass permission controls to access sensitive functionality reserved for administrators or other higher-level users. Oftentimes, malicious actors are able to authenticate as a legitimate user and then exploit the authorization scheme to execute privileged app functionality.
Client code quality issues arise when third-parties can pass untrusted code as inputs that the app will execute. While this isn’t always a security vulnerability, hackers can exploit code quality issues to execute malicious code as well. Static analysis tools can often detect these poor coding practices such as buffer overflows, memory leaks, and more.
Code tampering means that malicious actors have modified the source code, changed resources within the application package, or redirected API calls to change the app’s behavior. Attackers may use code tampering to inject malware into repackaged apps and release them in mobile app stores. That’s why it’s crucial that applications attempt to detect tampering during runtime.
Reverse engineering is a method attackers use to understand how an app works to formulate exploits. They’ll often use automated tools to decrypt the application binary and recreate the source code. The best way to prevent reverse engineering is through code obfuscation, which makes it difficult for humans and software to understand the inner workings of an app.
Extraneous functionality is any feature or code that isn’t directly exposed to users. For example, many developers leave additional code related to staging environments or unofficial API endpoints for testing that could inadvertently expose backend systems. Attackers can examine logs, configuration files, and application binaries to discover this hidden functionality that may be exploitable.
While this mobile security risk list may seem overwhelming, the majority of these issues can be defended against using runtime application self-protection (RASP), code hardening, and secure coding best-practices. In our latest report, we analyzed how these common mobile security issues mapped directly to security techniques. Key takeaways include: