Technological revolution has been the most dynamic thing in the world to change it's dynamics. Less than a decade ago, smartphones were a little device which would be accessible to wealthy persons only. Today, smartphone has been an integral part of everyone's life. With the rise in use of smartphone there has been rise in use of mobile application as well. These apps running on our mobile saves/shares our personal information, pictures, recordings, notes, account data, business information, location and much more.
With every enhancement in technology gives birth to new security risks and mobile technology is no different. Even though mobile operating systems like iOS and Android are arguably more secure by design compared to traditional Desktop operating systems, there's still a lot of things that can go wrong when security is not considered during the mobile app development process. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration.
When it comes to addressing application security, we need to keep eye on security from the very first stage (very beginning) of application development. There may be various areas to take care of during the process, and have been narrowed down to top ten items by OWASP.
Following listed are the TOP 10 OWASP Mobile Risks:
M1 - Improper Platform Usage
Misuse of a mobile platform feature or failure to use platform security controls adequately
It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system
Some examples includes the violation of published guidelines, violation of convention or common practice, and any unintentional misuse
M2 - Insecure Data Storage
Insufficient protection mechanisms towards user or app data stored locally
Scope of coverage includes an adversary that has attained a lost or stolen mobile device, malware or a repackaged app acting on the adversary's behalf that executes on the mobile device
Data insecurely stored includes files such as SQLite databases, log files, XML files and cookies
M3 - Insecure Communication
Insufficient protection mechanisms towards user or app data transmitted over the mobile device's carrier network or the internet
It might cover an adversary that shares the same Local Area Network (LAN), network devices or malware; and whether defensive mechanisms such as Certificate Pinning has been implemented in the mobile app
M4 - Insecure Authentication
Lack of proper authentication methods and controls
Scope of coverage includes the exploitation of authentication vulnerabilities.
M5 - Insufficient Cryptography
Usage of inadequately strong cryptographic standards, or poor cryptography implementation and usages
Scope of coverage includes the cracking of improperly encrypted data through physical access or mobile malware acting on an adversary's behalf
M6 - Insecure Authorization
Lack of proper roles and permissions validation and access rights controls
Scope of coverage includes the exploitation of the authorization vulnerabilities like insecure direct object references
M7 - Poor Code Quality
Insufficient consistency in coding patterns and lack of proper user data input validations and method calls
Scope of coverage includes any plausible endpoints that can pass untrusted inputs to method calls made within the mobile app's code, resulting in potential exploitation via malware or phishing scams
M8 - Code Tampering
Lack of runtime checks function that perform app code integrity checks
Scope of coverage includes exploitation through code modification via malicious forms of the apps hosted in third-party app stores. Malicious attacker may also trick the user into installing the app via phishing attacks
M9 - Reverse Engineering
Missing obfuscation methods
Scope of coverage includes downloading the mobile app from an app store and analyze it within their own local environment using a suite of different tools to identify potential attack vectors
M10 - Extraneous Functionality
Lack of logs and endpoints verification prior to publishing the production builds
Scope of coverage includes the identification of hidden or extraneous functionality in the backend system or the mobile app itself, and then exploit it directly from their own systems without any involvement by end-users.
In order to allow the user to browse through the app securely and conveniently developer need to take care of all these items in the list and make sure they have properly followed all the steps to make app more secure.
Top comments (0)