TOP 10 MOBILE SECURITY RISKS

Mobile apps offer a level of convenience that the world has never known before. From home, the office, on the road and even from your hotel room in another country on vacation – you can login to your voicemail at work, check your credit card balance, view your bank balance, buy new clothes, book travel and more.

This extreme level of convenience has brought with it an extreme number of security risks as user’s credit card details, bank logins, passwords and more are flying between devices and backend databases and systems across the net.

Below, you’ll find the top 10 mobile security risks. Understanding these risks can help you prepare your app and protect yourself, your data and your users.

Mobile Security Risk #1: Insecure Data Storage

Insecure data storage can result in data loss for a user – say – one who loses their phone; or for multiple users  if – for example – an app is improperly secured, leaving all users at risk.

Here are the common pieces of data that are stored and potentially at risk:

  • Usernames
  • Authentication tokens
  • Passwords
  • Cookies
  • Location data
  • UDID/EMEI, Device Name, Network Connection Name
  • Personal Information: DoB, Address, Social, Credit Card Data
  • Application Data:
    • Stored application logs
    • Debug information
    • Cached application messages
    • Transaction histories

Mobile Security Risk #2: Weak Server Side Controls

This risk is quite simple: the servers that your app is accessing should have security measures in place to prevent unauthorized users from accessing data. This includes your own servers, and the servers of any third-party systems your app may be accessing.

Mobile Security Risk #3: Insufficient Transport Layer Protection

When designing a mobile application, commonly data is exchanged in a client-server fashion. When this data is exchanged it travels across the carrier network and the internet. If the application is coded poorly, and not secured, “threat agents” can use techniques to view sensitive data while it’s traveling across the wire.

Threat agents can include:

  • Users local to your network (compromised or monitored wifi)
  • Carrier or network devices (routers, cell towers, proxys, etc)
  • Malware pre-existing on the user’s phone

Mobile Security Risk #4: Client Side Injection

Android applications are downloaded and run “client side”. This means that the code for the app actually resides on the user’s device.

Attackers could load simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be a point of injection, including resource files or the application itself.

Injection attacks, such as SQL Injection on client devices, can be severe if your application deals with more than one user account on a single application, a shared device, or paid-for-only content. Other injection points are meant to overflow applications components but are less likely to achieve a high impact result because of the managed code protections of the application languages.

Mobile Security Risk #5: Poor Authorization and Authentication

Apps and the systems they connect with should be properly protected with authorization and authentication best practices. This ensures that devices, users and systems are authorized to transfer data in the app’s workflow and that un-authorized devices, users and scripts are identified and blocked.

Mobile Security Risk #6: Improper Session Handling

Have you ever been in the middle of checking your bank account online when your attention is called away? You return to your computer to see a message like, “Session Timed Out – Please Login Again”.

This is an example of a session handling best practice. You were inactive for a determined amount of time, and the system logged you out. This prevents threats like someone from sitting down at your computer and seeing your bank account.

This, and other best practices for session handling should be put in place for apps that access sensitive data.

Mobile Security Risk #7: Security Decisions Via Untrusted Inputs

You might assume that inputs such as cookies, environment variables, and hidden form fields cannot be modified. However, an attacker could change these inputs using customized clients or other attacks. This change might not be detected. When security decisions such as authentication and authorization are made based on the values of these inputs, attackers can bypass the security of the software.

Without sufficient encryption, integrity checking, or other mechanism, any input that could originate from an outsider cannot be trusted.

Mobile Security Risk #8: Side Channel Data Leakage

In cryptography – the strategies used in encrypting code, a side channel attack is any attack based on information gained from the physical implementation of a encryption system, rather than attacks through brute force or theoretical weaknesses in the algorithms.

Watching how, when and where the data moves, attackers can find and exploit security holes.

Mobile Security Risk #9: Broken Cryptography

Encryption systems are constantly evolving – because they are constantly being “solved” or broken.

Ensure that the cryptography you are employing is stable and has not yet been broken. This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

Mobile Security Risk #10: Sensitive Information Disclosure

Though listed last, this is one of the most severe points of vulnerability in mobile app security – because it’s out of your control.

When apps, systems and cryptography created or used by other companies are hacked or broken, YOUR data could be at risk. Once these pieces of sensitive data have been disclosed, they can be used to mine other databases and systems for access to accounts, credit cards, usernames and passwords and more.

Scanning your data for vulnerability caused by breaches to other apps and other companies will help you stay ahead of this risk.

 

This list was compiled using the OWASP Mobile Top 10 project.