There are enough cybersecurity threats around at the moment to have IT professionals cowering and gibbering in fear. Often, while practitioners take pains to secure mobile devices, the apps that run on them could still be left vulnerable. CBR has collected a list of five weaknesses you should look out for.
1. Side channel data leakage
While there’s an abundance of very nasty software out there, benign applications could unwittingly be sending your data to all sorts of third parties. These applications are constantly processing sensitive information taken as an input from the user or from other sources.
Side-channel leakage refers to leakage of data that the application developer doesn’t realise is being cached, logged or stored. This information is sometimes stored in a location on the device that is easily accessible by other apps, possibly malicious.
2. Unsafe data transmission
Far more terrifying than a BCG jab, injection flaws can occur when an application sends untrusted data to an interpreter. The attacker sends a text-based attack, and by exploiting the syntax of the interpret, can inject malicious code into the application.
HTML5-based applications are particularly vulnerable to this kind of attack. These flaws are relatively easy to spot in the source code but show up less frequently in testing.
3. Insufficient transport layer protection
Mobile applications often do not protect their network traffic. Data is usually exchanged in a client-server fashion, so when data is transmitted it must transverse the carrier network or internet.
This is vulnerable to malware on the device, as well as exploitation through third parties operating on these networks, who can often view the data. This flaw can be detected by observing the network traffic of the phone.
4. Improper session handling
Due to the high premium placed on convenience in applications, developers try to keep log-in processes to a minimum. When you log into a secure server through an app, the server issues a session cookie which is used by the app in future transactions between the two parties.
Vulnerabilities can arise if the cookie is shared with threat agents, and can lead to attackers effectively impersonating the user.
5. Weak authentication or authorisation
Mobile apps often use weaker authentication processes than web applications, again due to the desire for convenience and prioritisation of user experience. If the process for authenticating users on an application is too weak, it can be understood by adversaries.
These malicious agents can then bypass the application completely and submit service requests to the app’s backend server, allowing them to anonymously execute functionality that affects normal app users.