Android application vulnerabilities have become a problem because of Google Play’s open format, and also because users can sideload apps, removing any oversight regarding the safety of apps.
Expert testing of Android mobile applications shows that in most cases, insecure data storage is the most common security flaw in android apps. According to a report, Vulnerabilities and Threats are slightly more common in Android applications, compared to iOS counterparts(43% vs 38%). But the experts categorize this difference as minimal: the security level of apps is roughly equivalent between the two platforms.
There Are Two Aspects:-
Android provides Intent message objects as a way for application components to communicate with each other. If these messages are broadcasted, any sensitive data in them can be compromised by malware that has registered a BroadcastReceiver instance.
Server-side components vulnerabilities both in application code and in the app protection mechanisms. The latter include flaws in the implementation of two-factor authentication. Let us consider one vulnerability our experts encountered in an application. If two identical requests are sent to the server one right after the other, with a minimal interval between them, One Time Passwords (OTP) are sent to the user’s device both as push notifications and via SMS to the linked Phone Number. The attacker can intercept SMS messages and impersonate the legitimate user, for instance, by cleaning out the user’s bank account.
Here are some top vulnerabilities-
Insufficient Jailbreak / Root Detection. Rooting or jailbreaking a device circumvents data protection and encryption schemes on the system. When a device has been compromised, any form of malicious code can run on the device, which can significantly alter the intended behaviors of the application logic. Recovery and data forensic tools generally run on rooted devices as well.
With regards to security, it is best to not have the app run on rooted or jailbroken devices, or to at least do some form of root/jailbreak detection. Detecting whether a device has been compromised adds an extra layer of policy enforcement and risk mitigation to protect the data within the application from being exposed.
2- Insufficient Transport Layer Protection:-
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Encryption must be used for all authenticated connections, especially Internet-accessible web pages. Backend connections should be encrypted as well, or risk exposing an authentication or session token to malicious actors on the same network as the application host. These backend connections may represent a lower likelihood of exploitation than a connection over the external Internet; however, their impact in the case of exploitation can still result in a compromise of user accounts or worse.
Encryption should be used whenever sensitive data, such as credit card or health information, is transmitted. Applications that fall back to plaintext or otherwise be forced out of an encrypting mode can be abused by attackers.
Ensure the application has a security constraint that defines confidentiality and integrity-based secure transport guarantee. This will ensure that all data is sent in a manner that guarantees it cannot be observed or changed during transmission. If TLS must be terminated at a load balancer, web application firewall, or other in-line hosts, it should re-encrypt the data in transit to the target host(s).
Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy.
Authorization procedures should enforce what a user, service, or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.
Enforce a proven authorization framework scheme that emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible.
to know about more vulnerabilities - https://codersera.com/blog/top-7-vulnerabilities-in-android-applications-2019/