Most mobile teams rely on scanners.
But scanners validate technical correctness—not business logic.
The Core Problem
Mobile apps often enforce rules like:
- Pricing
- Coupons
- Access control
But when these rules exist only in the client, they can be bypassed.
What Actually Goes Wrong
A typical flow:
- Client calculates final value
- Sends it to backend
- Backend processes it
This creates a trust dependency on the client.
The Fix
Move decision-making to the server.
Example:
val recalculatedAmount = pricingService.calculate(cart, user, request.coupon)
if (recalculatedAmount != request.finalAmount) {
throw SecurityException("Mismatch")
}
But validation alone is not enough.
You also need:
Idempotency
Replay protection
Concurrency-safe state transitions
Key Takeaways
Do not trust client-computed values
Enforce business rules server-side
Treat clients as untrusted
Design APIs around state validation
Full breakdown with real-world scenarios:
👉 https://medium.com/@vaibhav.shakya786/broken-business-logic-the-mobile-vulnerability-scanners-never-catch-98bc930b754a
Top comments (0)