Week 4 - Mobile Application Security Flashcards
A Changing Landscape
Mobile applications often overlap with web applications, using similar server-side APIs and smartphone-compatible interfaces.
Increased corporate adoption of mobile apps, particularly for accessing sensitive corporate data.
Examples of corporate data accessed through mobile apps: document storage, travel and expenses, HR information, internal services, and instant messaging.
Reasons for Popularity
Usability and technical factors contributing to mobile apps’ popularity.
Use of HTTP, improvements in screen resolution, touch screen displays, battery life, and processing power.
Improvements in cellular network technologies.
Simplicity of core technologies and languages used in mobile development, like Java.
Security or Lack of?
Security vulnerabilities in mobile apps and unique mobile-specific attacks.
Attack surfaces and risks related to network communication, data security, and device loss.
Risks from data recovery attempts and potential exposure of sensitive data.
Common Areas of Vulnerability
Hard-coded passwords/keys (23%): Sensitive information embedded in the app.
Client-side injection (40%): Handling untrusted data in an unsafe manner.
Insecure transmission of data (57%): Lack of proper encryption in data transmission.
Insecure data storage (63%): Storing data on the device in plaintext or easily reversible formats.
Leakage of sensitive data (69%): Unintentional data leakage through various channels.
Lack of binary protections (92%): Failing to protect the application’s binary code from analysis and reverse-engineering.
Factors Aggravating Vulnerabilities
Underdeveloped Security Awareness: Developers often don’t fully understand mobile security.
Ever-Changing Attack Surfaces: The field of mobile security continually evolves.
Economic and Time Constraints: Limited resources and time make security challenging.
Custom Development: Reused components may introduce vulnerabilities into projects.
OWASP Mobile Top Ten Risks
Weak Server-Side Controls: Most critical issue but occurs on the server-side.
Insecure Data Storage: Storing data in plaintext or reversible formats.
Insufficient Transport Layer Protection: Network traffic not properly protected.
Unintended Data Leakage: Sensitive data exposed in unintended ways.
Poor Authorization and Authentication: Authentication flaws in the app or server-side.
Broken Cryptography: Weaknesses in encryption implementation.
Client-Side Injection: Accepting input from untrusted sources.
Security Decisions Via Untrusted Inputs: Security decisions made based on untrusted input.
Improper Session Handling: Vulnerabilities exposing session tokens.
Lack of Binary Protections: Failing to protect the application’s binary code.
Mobile App Security Future
Expect classic vulnerabilities like insecure data storage and insufficient transport security to continue.
Anticipate new attack categories with advances in mobile technologies, such as mobile payment processing and fingerprint sensors.
Trends show an increase in banking malware and premium-rate SMS fraud.
Developers are increasingly using binary protections to defend against these threats.
Adoption of these protections and technologies like two-factor authentication is likely to increase.
Classic attacks are not diminishing, but raising awareness through documentation and classification can help mitigate vulnerabilities.
