In Q2 2022, Kaspersky products blocked over 5 million mobile-specific malware, adware and riskware attacks. They also detected over 400K malicious installation packages. Another research study found that of the 4000+ pen tests conducted on 2,700 software and mobile applications, a staggering 95% uncovered vulnerabilities in the target applications.
These facts show that mobile vulnerabilities are a growing problem for organizations and users. Let’s see why.
The Most Common Vulnerabilities in Mobile Apps
Many mobile apps contain vulnerable open-source components that open the door to cyberattacks. Excessive device permissions and a failure to follow secure coding practices also create blind spots that allow malicious adversaries to inject apps with harmful malware and exfiltrate sensitive data. Weak server-side controls, security misconfigurations, and inadequate logging also create vulnerabilities in mobile apps.
The Open Web Application Security Project (OWASP) publishes a list of Top 10 Mobile Risks that details the most common threats and vulnerabilities in mobile applications. According to the most recent list (2016), the top 10 mobile security risks are:
Improper platform usage
The incorrect use mobile platforms and available security controls are leading threats to mobile app security. The impact of the vulnerability’s exploitation can be very severe. For example, it may allow a threat actor to exploit a XSS vulnerability via the mobile device.
The best way to prevent improper platform usage is to use secure server-side coding. Secure coding will prevent adversaries from feeding malicious inputs or unexpected sequences of events to a vulnerable endpoint through the mobile interface.
Insecure data storage
Insecure data storage, which often happens because developers don’t encrypt or securely store data, can result in data leaks or breaches, as well as:
- User privacy violation
- Reputational damage
- Material loss
- Identity theft
Some adversaries also construct malware or modify legitimate apps to steal information assets.
Threat modeling the app, OS, platforms, and frameworks enables developers to secure app data storage by understanding which information assets it processes. It’s also crucial to encrypt data, restrict the app’s access to stored data, and implement secure coding practices to prevent data storage vulnerabilities.
Insecure communications happen when transmissions over the public Internet or carrier networks expose sensitive app data to attacks. The exploitation of this flaw may expose user data to malicious users resulting in account theft, identity theft, fraud, or reputational damage.
This risk can be mitigated by applying SSL/TLS to the app’s transport channels. Mandating SSL chain verification, using strong cipher suites with appropriate key lengths, and using certificates signed by a trusted CA provider can also prevent insecure communications in mobile apps.
Insecure authentication allows adversaries to access private data and sensitive app functionality. Poor authentication may lead to information theft. Also, the app will be unable to log or audit user activity, which may prevent organizations from detecting the source of attacks and preventing them in future.
Developers can ensure secure authentication by reinforcing authorization and authentication controls on the server-side and instrumenting local integrity checks within code to detect unauthorized changes. Also, the client-side data should be encrypted using encryption keys securely derived from users’ login credentials.
Weak encryption algorithms or flaws within the encryption process may allow adversaries to access or retrieve sensitive data from the device, such as private keys, passwords, or application code. Broken cryptography is a serious mobile vulnerability that may have many adverse consequences, including:
- Theft of information, code, or intellectual property
- Privacy violations
- Reputational damage
Applying strong cryptographic algorithms when handling sensitive data can mitigate this vulnerability. OWASP also recommends following the NIST’s guidelines on recommended algorithms for mobile apps and sensitive data.
Insecure authorization allows adversaries to bypass an app’s permission controls and access sensitive features reserved for high-level users. It may also allow them to expand their attacks and even destroy the system.
One way to mitigate the risks associated with insecure authorization is to verify the roles and permissions of authenticated users using the information in backend systems, instead of relying on this information from the device. Additionally, the backend code should independently verify that the incoming identifiers associated with a request belong to the incoming identity.
Client code quality
Poor code may allow attackers to execute malicious code that may lead to high-risk attacks. They may exploit code quality issues via phishing scams or malware, or by using static analyses or fuzzing tools. Information theft, performance degradations, and denial of service (DoS) attacks are all possible consequences of poor-quality code.
Secure and standardized coding practices can prevent the security risks created by poor-quality code. Automated static analysis tools can help developers to detect and fix poor coding practices such as buffer overflows and memory leaks.
Attackers may add malicious content to existing code. Once a user downloads the fake app, adversaries can subvert the app’s intended use to perpetrate fraud or steal the user’s identity. Code tampering can damage an organization’s reputation and cause revenue losses due to piracy.
Code tampering can be prevented by inspecting it for test keys, OTA certificates, rooted APKs, and SU binaries. Also, the app should be able to detect and react appropriately to code changes at runtime. Code integration alerts and measures like code hardening and digital signatures can also prevent tampering.
Attackers reverse engineer mobile apps to understand their operation, modify code with malicious functionalities, reveal cryptographic constants and ciphers, attack back-end systems, and steal sensitive data.
The best way to prevent reverse engineering is through code obfuscation, which makes it harder for attackers to understand the app’s inner workings. Penetration testing is an effective way to understand the app’s susceptibility to reverse engineering. Using various tools and their own experience and skills, pen testers try to understand the different ways an attacker may reverse engineer an app:
- Analyzing the contents of a binary’s string table
- Performing cross-functional analysis
- Recreating the source code from the binary
Extraneous functionality is hidden to genuine users but creates attack pathways for attackers. Increasingly, many of them examine and exploit functionalities like log files, configuration files, and binaries to attack apps.
Secure coding practices can mitigate the security risks created by extraneous functionalities. One practice is to avoid including information related to back-end test, demo, staging, or UAT environments in production builds. Automated static and dynamic analysis tools can detect some types of extraneous functionality.
Manual code reviews and penetration tests can reveal backdoors that automated tools may miss, such as:
- Hidden switches in configuration settings
- Test code in the final production build
- Whether logs statements include overly descriptive information about the backend that may expose privileged accounts
Related article: Choosing the Right Mobile App Pen Testing Technique.
Importance of Shoring Up Mobile App Security
The increasing ubiquity of mobile apps opens many pathways for cyberattackers, which explains why many are actively deploying app-specific malware, and why smishing, MITM attacks, and firmware attacks are on the rise. Organizations must close as many of these pathways as possible. The best way to do this is to find vulnerabilities before the bad guys can exploit them. Here’s where penetration testing comes in.
Pen testing mobile apps can uncover security weaknesses that internal testing and automated scanning tools often miss. The results enable organizations to fix the detected vulnerabilities early in the development lifecycle. Pen tests can also highlight weaknesses in security ecosystems, so organizations should definitely leverage this powerful weapon in the war against the bad guys.