OWASP Mobile Top 10 Risks [2023]

OWASP Mobile Top 10 Risks [2023]

The OWASP Mobile Top 10 provides a comprehensive summary of the ten most crucial security threats faced by your mobile applications, applicable to both Android and iOS platforms. These top 10 risks encompass various attack scenarios, offering insights into what to anticipate and how to safeguard against them.

 

 

M1: Improper Credential Usage

Threat actors exploiting hardcoded credentials and improper handling of credentials within mobile applications may employ automated techniques using readily available tools or custom-built ones. These actors could potentially discover and exploit hardcoded credentials or take advantage of weaknesses stemming from the improper use of credentials.

Adversaries have the capability to exploit vulnerabilities in both hardcoded credentials and the mishandling of credentials. Once these vulnerabilities are identified, an attacker can utilize hardcoded credentials to gain unauthorized access to sensitive features of the mobile app. They can also abuse credentials, for example, by gaining entry through improperly validated or stored credentials, thus circumventing the need for legitimate access.

How Can I Prevent ‘Improper Credential Usage’?

Preventing insecure credential management involves refraining from using hardcoded credentials and ensuring proper handling of user credentials.

Avoid the Use of Hardcoded Credentials

Hardcoded credentials can be easily uncovered by attackers, serving as a straightforward entry point for unauthorized users. It is imperative to abstain from incorporating hardcoded credentials within your mobile app’s code or configuration files.

Handle User Credentials Securely

User credentials should always be handled with the utmost security in mind:

  • Encrypt credentials during transmission.
  • Do not retain user credentials on the device. Consider employing secure, revocable access tokens instead.
  • Implement robust user authentication protocols.
  • Regularly refresh and rotate any employed API keys or tokens.
 

M2: Inadequate Supply Chain Security

An attacker has the potential to manipulate the functionality of an application by taking advantage of weaknesses in the mobile app supply chain. For instance, they could insert malicious code into the app’s codebase or make alterations to the code during the building process, thereby introducing backdoors, spyware, or other harmful code.
This manipulation allows the attacker to engage in activities such as data theft, user surveillance, or gaining control of the mobile device. Furthermore, an attacker could exploit vulnerabilities in third-party software libraries, SDKs, vendors, or hardcoded credentials to gain access to either the mobile app or the backend servers.
The repercussions of such actions may include unauthorized data access or manipulation, denial of service, or a complete takeover of the mobile app or device.
 
There are several methods to exploit the vulnerability associated with an insufficient supply chain. For instance, an insider threat actor or attacker could inject malicious code during the app’s development phase and subsequently compromise the app’s signing keys or certificates to sign the malicious code as trusted.
Another approach entails exploiting vulnerabilities in third-party libraries or components used in the app.
 
How To Prevent ‘Inadequate Supply Chain Vulnerability’
  • Incorporate secure coding practices, conduct code reviews, and perform testing at various stages of the mobile app development process to identify and address vulnerabilities.
  • Ensure a secure app signing and distribution process to thwart attackers from signing and distributing malicious code.
  • Utilize only trusted and validated third-party libraries or components to minimize vulnerability risks.
  • Establish security controls for app updates, patches, and releases to prevent attackers from exploiting vulnerabilities within the app.
  • Implement monitoring and detection measures for supply chain security incidents, employing security testing, scanning, or other techniques to promptly detect and respond to incidents.
 

M3: Insecure Authentication/Authorization

Threat actors who target authentication and authorization vulnerabilities usually employ automated attacks, utilizing either readily available tools or ones they have created themselves.
 
Once the adversary identifies vulnerabilities in either the authentication or authorization system, they can exploit these weaknesses in one of two ways. They may either simulate or bypass the authentication process by directly sending service requests to the backend server of the mobile app, avoiding any direct interaction with the mobile app itself. Alternatively, they can log into the application as a legitimate user after successfully passing the authentication checkpoint, and then proceed to access a vulnerable endpoint to carry out administrative functions. Both methods of exploitation typically involve the use of mobile malware within the device or botnets controlled by the attacker.
 
How To Prevent ‘Insecure Authentication/Authorization’
Avoid Weak Patterns in Authentication:
  • Ensure that mobile application authentication requirements match those of the web application component when porting a web application to a mobile platform.
  • Be cautious of local user authentication, as it can lead to client-side bypass vulnerabilities, especially on jailbroken devices.
  • Conduct authentication requests server-side whenever possible to ensure data availability only after successful authentication.
  • If client-side data storage is necessary, encrypt the data using a key derived from the user’s login credentials.
  • Do not store a user’s password on the device for the “Remember Me” functionality.
  • Use a device-specific authentication token that can be revoked by the user within the mobile application.
  • Avoid using easily spoofed values for user authentication, such as device identifiers or geo-location.
  • Implement persistent authentication in mobile applications as an opt-in feature, not enabled by default, and discourage users from using 4-digit PIN numbers for authentication.
Reinforce Authentication:
  • Developers should assume that all client-side authorization and authentication controls can be bypassed, necessitating strong server-side reinforcement.
  • For offline usage, implement local integrity checks in mobile apps to detect unauthorized code changes.
Use FaceID and TouchID:
  • Utilize FaceID and TouchID for biometric authentication to securely protect sensitive authentication materials like session tokens.
Insecure Authorization Prevention:
  • Backend systems should independently verify roles and permissions of authenticated users without relying solely on information from the mobile device.
  • Assume that all client-side authorization can be bypassed, emphasizing strong server-side authorization controls.
  • If offline authorization checks are necessary within the mobile app’s code, perform local integrity checks to detect unauthorized code changes.
 

M4: Insufficient Input/Output Validation

Insufficient validation and sanitization of data from external sources, like user inputs or network data, within a mobile application can expose serious security vulnerabilities. Mobile apps that do not adequately validate and sanitize such data are susceptible to exploitation through mobile-specific attacks, including SQL injection, Command Injection, and cross-site scripting (XSS) attacks.
These vulnerabilities can lead to severe consequences, such as unauthorized access to sensitive data, manipulation of app functionality, and potentially compromising the entire mobile system.
 
When there is inadequate output validation, it can lead to data corruption or vulnerabilities in data presentation, enabling malicious actors to inject harmful code or manipulate sensitive information displayed to users.
Insufficient input/output validation opens our application to critical attack vectors, including SQL injection, XSS, command injection, and path traversal. These vulnerabilities can result in unauthorized access, data manipulation, code execution, and compromise of the entire backend system.
 
How to Prevent ‘Insufficient Input/Output Validation’:
Input Validation:
  • Apply rigorous validation techniques to validate and sanitize user input.
  • Enforce input length restrictions and reject unexpected or malicious data.
Output Sanitization:
  • Properly sanitize output data to thwart cross-site scripting (XSS) attacks.
  • Use output encoding techniques when displaying or transmitting data.
Context-Specific Validation:
  • Conduct specific validation based on data context (e.g., file uploads, database queries) to prevent attacks like path traversal or injection.
Data Integrity Checks:
  • Implement data integrity checks to identify and prevent data corruption or unauthorized modifications.
Secure Coding Practices:
  • Adhere to secure coding practices, such as using parameterized queries and prepared statements, to thwart SQL injection.
Regular Security Testing:
  • Carry out routine security assessments, including penetration testing and code reviews, to uncover and rectify vulnerabilities.
 

M5: Insecure Communication

Many contemporary mobile apps communicate with remote servers. During this data exchange, it typically travels through the mobile device’s carrier network and the internet. If transmitted without encryption or using outdated security methods, a malicious party monitoring the communication could intercept and alter the data. These threat agents may have various motives, including stealing sensitive information, engaging in espionage, or committing identity theft. The following threat agents should be considered:
  • An adversary who shares your local network (which may be compromised or under surveillance).
  • Rogue carrier or network devices (such as routers, cell towers, proxies, etc.).
  • Malware present on your mobile device.
Although modern applications rely on cryptographic protocols like SSL/TLS, there can still be vulnerabilities in their implementation. These weaknesses may include:
  • The use of outdated protocols and/or improper configuration settings.
  • Acceptance of insecure SSL certificates (such as self-signed, revoked, expired, or those with incorrect hosts).
  • Inconsistencies, such as applying SSL/TLS only to specific workflows, such as authentication.
How To Prevent ‘Insecure Communication’?
  1. Assume network layer is insecure and vulnerable to eavesdropping.
  2. Implement SSL/TLS on transport channels for data transmission to backend APIs or web services.
  3. Use SSL versions of third-party entities like analytics companies and social networks when the application interacts with them via browser/webkit to avoid mixed SSL sessions.
  4. Employ strong, industry-standard cipher suites with appropriate key lengths.
  5. Utilize certificates from trusted Certificate Authority (CA) providers and never allow bad certificates (self-signed, expired, untrusted root, revoked, wrong host).
  6. Consider implementing certificate pinning and ensure SSL chain verification. Additionally, verify the identity of the endpoint server using trusted certificates in the key chain before establishing a secure connection. 

M6: Inadequate Privacy Controls

Privacy controls aim to safeguard Personally Identifiable Information (PII), such as names, addresses, credit card details, email and IP addresses, as well as sensitive information about health, religion, sexuality, and political beliefs.
This data holds significant value for potential attackers, as it can be used to:
  • Assume the identity of the victim for fraudulent activities,
  • Exploit the victim’s payment information,
  • Blackmail the victim using sensitive data, or
  • Inflict harm by tampering with or destroying critical victim data.
In essence, PII can be either exposed (a breach of confidentiality), tampered with (a breach of integrity), or obliterated/restricted (a breach of availability).
Typically, sources of PII are well guarded, such as the app’s sandbox, network communication with the server, app logs, and backups. Some sources have lower levels of protection but are still challenging to access, like URL query parameters and clipboard content.
 
How To Prevent ‘Inadequate Privacy Controls’?

To prevent privacy breaches, it’s crucial to minimize the volume and diversity of Personally Identifiable Information (PII) being processed. This necessitates a comprehensive understanding of all PII assets within a given application. Armed with this knowledge, consider the following inquiries:

  • Is all processed PII truly indispensable, like names, addresses, gender, and age?
  • Can some of the PII be substituted with less sensitive information, such as replacing precise location with a broader one?
  • Is it possible to scale down certain PII elements, like reducing location updates from every minute to every hour?
  • Can some of the PII be anonymized or obscured, for instance, through techniques like hashing, grouping, or adding random data?
  • Is it feasible to erase certain PII after a designated period, like retaining only health data from the past week?
  • Can users provide consent for optional PII usage, allowing them to receive enhanced services while being informed of the associated additional risk?
 

M7: Insufficient Binary Protection

Attackers who focus on app binaries have various motivations. The binary may contain valuable information, such as commercial API keys or hardcoded cryptographic secrets, which an attacker could exploit. Additionally, the code within the binary may hold inherent value, for instance, due to critical business logic or pre-trained AI models. Some attackers might not directly target the app itself, but rather use it to probe potential vulnerabilities in the corresponding backend, preparing for a subsequent attack.
 
Beyond gathering information, attackers may also tamper with app binaries to gain access to premium features without payment or to bypass other security checks. In the worst-case scenario, popular apps could be altered to include malicious code and then distributed through third-party app stores or under a different name to deceive unsuspecting users. One common attack involves reconfiguring payment identifiers in an app, re-packaging it, and circulating it through app stores. Consequently, when users download this unauthorized copy from the app store, the attacker receives the payments instead of the original provider.
 
How To Prevent ‘Insufficient Binary Protection’?
To mitigate the risk of ‘Insufficient Binary Protection’, it is imperative to assess each app individually to determine if critical content is present in the binary, or if its popularity necessitates binary protection. If so, conducting a threat modeling analysis can help identify the highest risks and estimate their potential financial impact if they materialize. For the most pertinent risks, appropriate countermeasures should be implemented.
Given that apps typically operate in untrusted environments, they should only receive the bare minimum of necessary information to function, as this data is always susceptible to leakage or manipulation. However, assuming that certain sensitive elements, such as secrets, algorithms, and security checks, must reside within the app’s binary, different attacks can be thwarted using various strategies.
 
 

M8: Security Misconfiguration

Security misconfiguration in mobile applications occurs when security settings, permissions, and controls are not properly configured. This can result in vulnerabilities and unauthorized access. Threat actors who take advantage of these misconfigurations are typically attackers seeking to gain unauthorized entry to sensitive information or carry out malicious activities. These threat actors may include individuals with physical access to the device or malicious applications on the device that exploit security misconfigurations to perform unauthorized actions within the vulnerable application’s context.
 
How To Prevent Security Misconfigurations?
To prevent security misconfigurations in mobile apps, it is essential to adhere to secure coding and configuration practices. Here are some crucial steps to take:
  • Ensure Secure Default Configurations: Verify that initial settings and configurations are adequately protected and do not expose sensitive information or grant unnecessary permissions.
  • Avoid Default Credentials: Steer clear of using hardcoded default login credentials.
  • Address Insecure Permissions: Do not store application files with excessively permissive permissions, such as making them world-readable or world-writable.
  • Apply the Principle of Least Privilege: Request only the permissions essential for the proper operation of the application.
  • Implement Secure Network Configuration: Prohibit unencrypted communication and utilize certificate pinning whenever feasible.
  • Deactivate Debugging: In the production version of the app, deactivate debugging features.
  • Turn off Backup Mode (Android): Disabling backup mode on Android devices prevents the inclusion of app data in the device’s backup, ensuring that sensitive information is not stored in the backup.
  • Restrict Application Attack Surface: Only export activities, content providers, and services that are necessary for operation in order to minimize potential points of vulnerability.
 

M9: Insecure Data Storage

Inadequate data protection within a mobile application can attract a range of threat actors seeking to capitalize on weaknesses and gain unauthorized access to sensitive information. These adversaries may include proficient attackers focused on extracting valuable data from mobile apps, insiders within the organization or app development team abusing their privileges, state-backed actors engaged in cyber espionage, cybercriminals aiming for financial gain through data theft or ransom, less skilled individuals using pre-made tools for basic attacks, data brokers looking to exploit insecure storage for the sale of personal information, competitors and industrial spies striving for a competitive edge, as well as activists or hacktivists motivated by ideology.
 
These threat actors leverage vulnerabilities like weak encryption, inadequate data protection, insecure data storage methods, and improper handling of user credentials. It is imperative for mobile app developers and organizations to incorporate robust security measures, including strong encryption, secure data storage protocols, and adherence to established mobile application security best practices, in order to reduce the risks associated with insecure data storage.
 
How To Prevent ‘Insecure Data Storage’?
  • To safeguard against insecure data storage in a mobile application and ensure the security of sensitive information, it is recommended to enact the following security measures:
  • Employ Robust Encryption: Utilize strong encryption algorithms and best practices to safeguard sensitive data both when stored and during transit. Employ widely recognized encryption algorithms and ensure secure storage and management of encryption keys.
  • Ensure Secure Data Transmission: Use secure communication protocols (e.g., HTTPS, SSL/TLS) to protect data while it is being transmitted between the mobile application and backend servers. Avoid sending sensitive data through unsecured channels.
  • Implement Secure Storage Methods: Store sensitive data in secure locations that are inaccessible to unauthorized users. Leverage platform-specific secure storage mechanisms provided by the mobile operating system, such as Keychain (iOS) or Keystore (Android).
  • Enforce Proper Access Controls: Establish stringent access controls to limit unauthorized access to sensitive data. Authenticate users securely, apply role-based access controls, and validate user permissions prior to granting access to sensitive information.
  • Validate Input and Sanitize Data: Employ input validation and data sanitization techniques to prevent injection attacks and ensure that only valid and expected data is stored. Validate user inputs to mitigate the risk of malicious code injection or inadvertent data exposure.
  • Implement Secure Session Management: Adopt secure session management practices, including the use of randomly generated session tokens, setting appropriate session timeouts, and securely storing session data on both the client and server sides.
  • Regularly Update and Patch Dependencies: Keep all libraries, frameworks, and third-party dependencies current, as they may harbor security vulnerabilities that could lead to insecure data storage. Routinely apply security patches and updates provided by the respective vendors.
  • Stay Informed: Stay abreast of the latest security threats and vulnerabilities within the mobile application landscape. Monitor security forums, review security advisories, and stay updated on mobile platform developments to promptly address emerging risks.
 

M10: Insufficient Cryptography

Adversaries who take advantage of weak cryptography in mobile applications have the potential to compromise the confidentiality, integrity, and authenticity of sensitive data. These threat actors encompass individuals who focus on decrypting sensitive information by targeting cryptographic algorithms or their implementations, insiders with malicious intent who tamper with cryptographic processes or divulge encryption keys, state-backed actors involved in cryptanalysis for intelligence-gathering objectives, cybercriminals who capitalize on feeble encryption to pilfer valuable data or engage in financial fraud, and assailants who exploit vulnerabilities in cryptographic protocols or libraries.
 
How To Prevent ‘Insufficient Cryptography’?
To prevent vulnerabilities related to “insufficient cryptography” in a mobile application, it is advisable to adhere to the following best practices:
  • Opt for Strong Encryption Algorithms: Choose established and secure encryption methods like AES, RSA, or ECC. Avoid outdated or weak algorithms.
  • Ensure Robust Key Length: Select encryption keys with sufficient length to ensure strong security, following industry recommendations for the specific algorithm.
  • Secure Key Management: Safeguard encryption keys using methods like key vaults or hardware security modules. Restrict access to authorized personnel and encrypt keys at rest.
  • Implement Encryption Correctly: Follow established cryptographic libraries and frameworks for encryption processes. Avoid custom implementations which can be more error-prone.
  • Protect Storage of Encryption Keys: Store encryption keys securely on the mobile device, avoiding plain text or easily accessible locations. Consider using secure storage provided by the operating system or hardware-based options.
  • Utilize Secure Transport Layer: Employ HTTPS for transmitting encrypted data. Ensure thorough certificate validation and secure communication channels between the mobile app and backend systems.
  • Regularly Update and Test Security Measures: Stay informed about security updates and conduct thorough testing, including assessments for cryptographic vulnerabilities, penetration testing, and code reviews. Address any identified weaknesses promptly.
 
Image by vecstock on Freepik

Leave a Comment

Your email address will not be published. Required fields are marked *