The emergence of cloud-based software and the proliferation of mobile devices has brought flexibility to the workplace. It’s helped millions stay connected when working from home or remotely. And, it has put desktop-like functionality in the hands of 3.5 billion people worldwide.
It’s not surprising with this amount of mobile interaction that threat actors would make mobile users a target. From mobile banking fraud to personal data theft and apps with security holes, bad actors are finding vulnerabilities to exploit. 40% of organizations report having a mobile security compromise.
Today, we want to discuss an incredibly influential organization dedicated to the awareness of mobile security, OWASP (Open Web Application Security Project). For many, OWASP and the OWASP Mobile Top 10, are very familiar industry standards for building secure mobile applications. To those unfamiliar, here is a snapshot of OWASP’s list of the most prevalent security risks within the mobile space.
Top Mobile Security Risk Factors
Exposed API calls can be used as an attack vector to replay requests and harvest information. It has become common for hackers to gain control of devices by exploiting lacking security controls, such as permissions, misuse of TouchID, Keychain, or other mobile OS features.
Lost or stolen mobile devices can give threat actors direct access to personal data using malware or readily available tools. Rooting or jailbreaking a device can circumvent most encryption, allowing attackers to harvest sensitive data from the application which may result in any of the following consequences: identity theft, privacy violation, fraud, reputation damage, compliance violation, material loss, etc.
Poor Secure Sockets Layer (SSL/TLS) implementation and failure to pin certificates open the floodgates for more advanced phishing attacks. Man in the Middle attacks allow bad actors to sit in the middle of a connection, intercepting or “sniffing” network information such as web history, login credentials, pictures and more. Attackers can intercept personal data traveling over the wire, and inspect those packets, by targeting a shared Wi-Fi network, routers, cell tower, carrier networks, or by inserting malware on a device. Attackers can similarly redirect internet traffic to lure victims elsewhere.
Poorly constructed or missing authentication schemes can allow attackers to authenticate as other users, masquerading as those users. Nefarious actors can then attack the backend server and bypass interactions within mobile apps.
Weak encryption or related implementation flaws can give users a false sense of security and provide an entry point for threat actors. Built-in code encryption in the mobile OS does not provide sufficient protection. Additional runtime protections are needed to dynamically secure that information.
Poor authorization schemes can be easily attacked. Once authenticated, an attacker can spread laterally across the network to identify and compromise vulnerable endpoints, then escalate privileges to perform administrative functions.
Code quality issues and insecure practices are common in mobile applications, creating a large attack surface. While code quality issues can be exploited in any number of ways, typical attacks will exploit memory leaks or buffer overflows to execute malicious code on remote server endpoints. This provides direct access and control over the exploited backend server.
Nefarious actors can modify code and tamper with an application through a variety of techniques, including malicious cloning of apps, hooking, redirecting ad-revenue, bypassing in-app purchases, forging certificates, repackaging, resigning, dylib injection, phishing schemes and more.
Almost all mobile app code is susceptible to reverse engineering, although some apps are more susceptible than others. Java, .NET, Objective C, and Swift allow for dynamic introspection at runtime and are particularly at risk for reverse engineering. After reverse engineering, it is easy to analyze the application binary, harvesting sensitive information which can be used to stage more sophisticated attacks.
In many cases, programmers add extraneous functionality or test code such as authenticated backdoors which are created for a clear purpose - and only intended for use by that developer. The intention of this test code is to remain temporary - or unknown to outsiders. If left behind and discovered, however, sudden switches or test code, not visible from the user interface, can provide easy access to informed attackers.
Business consulting firm Gartner reported a few years ago that 75% of mobile applications fail basic security tests. While things have improved since then, the sheer volume of mobile devices and apps have multiplied the exposure.
With a similar mission of raising awareness and sharing important information about mobile application security we are profoundly appreciative of the work OWASP does. Guardsquare products specialize in resolving numbers 3 (Insecure Communication), 8 (Code Tampering), and 9 (Reverse Engineering). Here’s another blog if you would like to learn more.
Have you applied any of the top 10 to your products? Do you plan to? make sure let us know below or tag a new post with “OWASP Mobile 10”.