Security Mistakes and Exploitation of Mobile Apps

Security mistakes in mobile app development are quite common and can lead to the user’s mobile device being compromised and his or her data being manipulated by the hacker.

Security Mistakes and Exploitation of Mobile Apps

As the race for supremacy in the smartphones business increases, vendors’ focus on creating more sophisticated apps for their customers leads them to use the services of mobile app developers. However, in their bid to make efficient and attractive apps, mobile app developers may sometimes commit mistakes that can lead to a lot of problems for the customers who use those apps.

A little carelessness and lack of proper testing can lead to faulty or potentially malicious apps to make their way to the app market, thereby infecting the devices of the users online who download and install them. What’s more alarming is that it is quite simple to exploit the common security mistakes that mobile app developers make while developing their app.

Hackers can use a few simple tools to cause all kinds of damage to the life of user by gaining access to his or her mobile device once they know that an app has some weakness. To help developers know more about the mistakes they might have committed or might commit in the future and how dangerous it can be for the customers, we discuss the three worst security mistakes that mobile app developers make in this article. If you are a developer, you need to know about these.

Worst Mobile Applications Development Security Mistakes

Weak Server Side Controls

Weak server side controls include anything that is not done on the device but on a separate server. Client-server interaction in mobile apps is a common scenario, but not taking the proper mobile security measures while establishing a connection with a server or interacting with it thereafter could lead to many problems. For example, improper sessional management can lead to an eavesdropper gaining access to client privileged information from the mobile device using your mobile app.

Another example of weak server side controls is not including the local and remote files properly. Remote files are included from servers for an app’s working, but if your app does not take proper precautions as to what data can be accessed by the remote files that are included through your app, then one could access all kinds of information from the customer’s device.

Although proper server authentication and authorization mechanisms are known to web developers and coders, the same is not true for mobile app developers. This is because the languages and the software used for developing apps do not have a lot of functionalities for security management.

Developers themselves sometimes do not pay proper attention to this aspect. Even though mobile apps use similar client-server exchange mechanisms as traditional internet connections and services, mobile operating systems and apps do not have a lot of security features to adopt. This makes exploiting weak server side controls simple for hackers.

Insecure Data Storage

Your app will invariantly need to access data on the device it is installed on. Knowing about the data your app will access and how it will use it is vital in order to prevent misuse of customer’s data on his or her device. If you fail in understanding the interaction or data exchange between your app and the client device, then improper data handling is very much on the cards. This includes data not being encrypted properly while it is being shared or when it is stored on the client’s device.

It can also include not protecting the encryption keys used to encrypt the data from malware attacks. If your app stores sensitive client data like bank account details as plaintext, then a hacker who has got his hands on the device can simply use third party tools to read that information and use it as he or she likes. This is one of the biggest blunders you can commit and one of the easiest ones to exploit.

As we mentioned above, anyone with access to someone’s mobile phone can use third party tools to extract the information stored in the device if the data that is stored by your app is not encrypted properly. Not only is proper encryption required, but your app must also be able to withstand malware attacks that seek to extract the encryption keys used to encrypt the data.

Insufficient Transport Layer Protection

Insufficient transport layer protection is a really nasty and harmful mistake. The transport layer, as the name suggests, is used for transporting data packets from one host to another. The transporting of data packets requires the establishing of a connection through a handshake (request-reply messages), after which data can be transferred from one host to another. There is a big chance, no, almost a surety, that your app will communicate with remote servers and other hosts.

It is easy to see how bad things can be if there is insufficient transport layer protection. The connection your app establishes might not be properly encrypted, or the certificate offered by the server before the connection is established might not be properly inspected by your mobile app before establishing a connection with it. In either of these scenarios, the data your app shares with other servers or hosts can be easily intercepted and thus compromised.

Transport Layer protection is done at least in part by mobile apps. Authentication is done while establishing the connection, but after that, no measures are taken to preserve the confidentiality and integrity of data. This is something that you as mobile developers should pay attention to. It is vital that your mobile app makes sure that the data it is receiving and sharing is coming from and going to a reliable host.

If your app does not inspect the security certificate of the server or host, then it is quite simple for a malicious server or host to establish a connection with your app. Once this is done, then the data you share is in the hands of a hacker. There is no knowing how he or she would use the data your app shares. In case, your app needs to share sensitive data then the user’s identity could easily be stolen and misused.

Conclusion

All these mistakes are dangerous to the end users. Since the satisfaction of end users are at the center of app development, it is absolutely vital that you as an app developer take care that you do not commit such mistakes. Knowing is half the job as ignorance breeds disaster. However, even after knowing about these mistakes, you might commit them at some point or another. Therefore, it is always a good practice to test your app thoroughly and scan it before publishing it on the market.

Top/Featured Image: By Microsiervos / Flickr

Pierluigi Paganini Cyber Security Analyst; Member, European Union Agency for Network and Information Security Threat Landscape Stakeholder Group; Founder, Security Affairs Blog. Co-author of The Deep Dark Web: The Hidden World.

2 thoughts on “Security Mistakes and Exploitation of Mobile Apps”

  1. Indeed a great list of common WordPress security mistakes.

    A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the WordPress theme files and other main files.

    On further inspection I found out the following 3 things which were the reasons for this:

    1). Not updating the other WordPress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting
    .
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.

    3). Not Cleaning and optimizing your database periodically

    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.

    5). Not uninstalling plugins that haven’t been updated for a long time by its creators.

    These are prone to attacks. A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.

    Reply
Leave a Comment