Penetration Testing: Top 10 OWASP Risks in Mobile Application Security Testing

penetration test
25Sep, 2018

OWASP or Online Web Application Security Project is a community that operates as a nonprofit group and does not belong to any particular technology company. It operates as a community of like-minded professionals, so it has its unique position to provide impartial information to individuals and companies. Every document, framework, tool, technique and other details are made available to Internet users for free. OWASP supports innovation and encourages experiments for the betterment of secure software development. Though the use of OWASP is frequent by security professionals worldwide, there are certain risks associated with OWASP as well, primarily due to its inherent limitations.

Mobile application security problems are as serious as web application security problems. Attackers have begun to focus on mobile application security issues and are actively developing tools and techniques to detect and exploit them. In this article, we identify 10 such risks arising from the use of OWASP in mobile application security framework, given below.

  1. Insecure Data Storage

Insecure Data Storage, as the name says, is about the protection of the data in storage. Mobile applications are used for all kinds of tasks, such as fitness monitors, playing games, online banking, stock trading etc. and most of the data used by these applications are stored in the device itself inside XML data stores, log files etc. Crucial and sensitive information/data stored by various apps may be varied, including bank account details to the location preferences. Application programming interfaces (APIs) that handle the storage of this data must securely implement encryption/hashing techniques so that an adversary with direct access to these data stores via theft or malware will not be able to decipher the sensitive information stored in them.

  1. Broken Cryptography

Broken cryptography means weak controls that are used to protect the data. The usage of poor cryptographic algorithms such as MD5, RC2 etc. can be easily hacked by penetrators leading to a failure in encryption. Further, improper encryption key management when the key is stored in locations accessible to other applications or the use of a predictable key generation technique will also break the implemented cryptography techniques.

Software Testing Company

  1. Weak Server-Side Controls

It is no surprise that internet usage through mobile phones has surpassed fixed internet access for a long time. Primarily, this is a result of the emergence of new hybrid and HTML5 mobile applications. The servers that form the backbone of these applications, however, need a security mechanism, which is defined by OWASP top 10 web application project. Thus, vulnerabilities such as injections, insecure direct object reference, insecure communication and so on may lead to a complete compromise of the application server. Hackers and penetrators having gained control of these compromised servers can attack the applications and personal data of the users, push malicious content and compromise user devices as well.

  1. Insufficient Transport Layer Protection

All hybrid and HTML 5 apps work on the client-server architecture, meaning that the emphasis for data in motion is a must as the data needs to be traversed through multiple channels and are vulnerable to tampering and eavesdropping by hackers. Controls such as SSL/TLS, which enforce confidentiality and integrity of the data, must be verified for correct implementations on the communication channel from the mobile application and its server.

Industry Testing

  1. Unintended Data Leakage

At times, the sensitive data of the users may be put by mobile applications in places accessible by other applications, including even malware. Such functionalities responsible for these acts are mostly meant to increase the user experience and enhance usability, but in effect also have various adverse effects to security. For instance, various actions such as key press logging, OS data caching, implementations of web beacons or analytics cookies for advertisement delivery or copy/paste buffer caching can be distorted by hackers to obtain sensitive data relating to victims.

  1. Client-Side Injection:

Injection vulnerabilities are the most common web vulnerabilities arising due to malformed inputs that cause unintended actions, such as altering database queries, command execution, etc. In the case of mobile applications, malformed inputs can be a serious threat at the local application level and on the server side as well. Injections at the local application level that mainly target data stores may result in conditions such as access of paid content locked for trial users or file inclusions, which may lead to abusing functionalities such as SMS and so on.

  1. Lack of Binary Protections:

Mobile application source code is available to everyone. Usually, an attacker has the capacity to reverse engineer the code behind the application and insert malware into code components and recompile them. If these tampered applications are installed by a user, they would be susceptible to data theft, become victims of unintended actions, etc. Most of the applications do not ship with mechanisms such as checksum controls, which help in deducing whether the application tampers or not.

  1. Poor Authorization and Authentication:

Since mobile devices are meant to be personal devices containing important data concerning their users (such as credentials for bank logins etc.), specific mechanisms to authenticate and authorize access to such services are used (such as 2FA) by developers. However, if these mechanisms are poor and easily penetrable, hackers may circumvent the control procedures and gain unauthorized access to perform destructive functions. As the code is available to adversaries, they can perform binary attacks and recompile the code to access authorized content directly.

API Automation

  1. Security Decisions via Untrusted Inputs:

The implementation of certain functionalities such as the use of hidden variables to check the authorization status can be bypassed by tampering them during transit via web service calls or inter-process communication calls. This may lead to privilege escalations and unintended behaviour of the mobile application.

  1. Improper Session Handling:

The application server sends back the session token on successful authentication with the mobile application. These session tokens are used by the mobile applications to request for services. In circumstances where these session tokens remain active for a long time, hackers may bypass them through malware or theft and hijack the user account.

Give us 30 minutes and we will show you how many millions you can save by outsourcing software testing. Make Your product quality top notch. Talk to us to see how