Penetration Testing: Top 10 OWASP Risks in Mobile Application Security Testing

penetration test
25Sep, 2018

OWASP or Online Web Application Security Project is a community that operates as a nonprofit group and does not belong to any particular technology company. It operates as a community of like-minded professionals, so it has its unique position to provide impartial information to individuals and companies. Every document, framework, tool, technique and other details are made available to Internet users for free. OWASP supports innovation and encourages experiments for the betterment of secure software development. Though the use of OWASP is frequent by security professionals worldwide, there are certain risks associated with OWASP as well, primarily due to its inherent limitations.

Mobile application security problems are as serious as web application security problems. Attackers have begun to focus on mobile application security issues and are actively developing tools and techniques to detect and exploit them. In this article, we identify 10 such risks arising from the use of OWASP in mobile application security framework, given below.

1. Non-Secure Data Storage

The mobile apps are used for many different types of tasks including fitness monitoring, playing games, stock trading, online banking, etc, and a lot of data that are used by such apps are either kept within the device inside SQLite data files, log files, XML data storage, etc, or are pushed into the cloud storage. Various kinds of critical data that are stored in these apps can range from just location related information to highly sensitive bank account information. The application programming interfaces (API) which handle this data storage should securely implement the techniques of hashing/encryption so that a combatant having direct ingress to such data stores through malware or theft won’t be capable of deciphering the critical information that is stored within them.

2. Broken Cryptography

Broken cryptography means weak controls that are used to protect the data. The usage of poor cryptographic algorithms such as MD5, RC2 etc. can be easily hacked by penetrators leading to a failure in encryption. Further, improper encryption key management when the key is stored in locations accessible to other applications or the use of a predictable key generation technique will also break the implemented cryptography techniques.

Software Testing Company

3. Weak Server-end Controls

It is no surprise that internet usage through mobile phones has overshadowed fixed net access over time. The reason behind this is the surfacing of HTML5 and hybrid mobile applications. The servers, which support these mobile apps should be highly secured by themselves. Some of the most widely spread vulnerabilities known in this zone are defined by OWASP top ten web app project. The vulnerabilities including insecure object reference, injections, and insecure communication may result in app server compromise. The hackers and penetrators having control over these compromised servers will be successful in pushing malicious data and attacking user devices.

4. Inadequate Transport Layer Protection

This is all about protecting the stored data. However, since all HTML 5 and hybrid apps function on the client and server architecture, the emphasis on mobile data is very important, as this data would require traversing via the various mediums and would be highly susceptible to tampering and eavesdropping by the adversaries. Controls like that of SSL/TLS that enforce the integrity and confidentiality of data should be verified to ensure right implementations over the communication medium from the app and the server.

5. Unintentional Data Leakage

Industry TestingSome specific functionalities of the mobile apps can place the sensitive data of the users in places where malware or other apps can access it. Such functionalities are there for enhancing the user experience or usability, but they can lead to adverse consequences in the future. Actions like that of key press entering, OS data caching, and implementing analytics cookies for the ad delivery could be distorted by the adversaries for gaining information about the users.

6. Client-Side Injection

The Injection risks are one of the most prevalent web threats by the OWASP top ten most dangerous threats on the web. These are because of the malformed inputs that lead to unintended actions like alteration of the command execution, database queries, etc. In the scenario of mobile apps, the malformed inputs may pose to be a potential risk at both the local app level as well as server-side. Injections on the local app level, which primarily target the data stores, can lead to conditions like access to the paid content that is locked for file inclusions or trial users that may result in misuse of the functionalities like SMSes.

7. Lack of Binary Security

The source code of a mobile app is generally available to everyone. A well-trained attacker can perform reverse engineering over the app and inserting malicious data elements and recompiling them. If users install such a tampered app, they can become prone to cyber theft. Most of the mobile apps don’t come with necessary mechanisms like checksum controls that aid in detecting if the app has tampered.

8. Poor Authorization and Authentication:

Since mobile devices are meant to be personal devices containing important data concerning their users (such as credentials for bank logins etc.), specific mechanisms to authenticate and authorize access to such services are used (such as 2FA) by developers. However, if these mechanisms are poor and easily penetrable, hackers may circumvent the control procedures and gain unauthorized access to perform destructive functions. As the code is available to adversaries, they can perform binary attacks and recompile the code to access authorized content directly.

API Automation

9. Security Choices Through Non-Trusted Inputs

Security decisions through untrusted inputs: Implementation of some specific functionality like using hidden variables for checking the authorization report can be avoided by vandalizing them at the time of the transit through web service/inter-process transmission calls. This can result in privilege hikes and unintended behaviour of the mobile apps.

10. Inappropriate Session Management

A session token is sent back by the app server when it has been successfully authenticated with the particular mobile application. The mobile app uses these tokens for requesting services. If the session tokens stay activated for a long time and the adversaries acquire them through theft or malware, the account of the user can get hijacked.

Give us 30 minutes and we will show you how many millions you can save by outsourcing software testing. Make Your product quality top notch. Talk to us to see how