OWASP's forgotten sibling

While OWASP’s list of the top 10 web application security risks is seen as the cybersecurity bible by most product developers and security experts, its little brother, the mobile top 10 list, doesn’t seem to get quite as much air time.

But why is that? Is it because we believe that mobile applications are somehow inherently safer? Less prone to breaches and hacks? Is it false confidence? Or maybe ignorance?

A false sense of security

A lot of developers take for granted that the platform they’re building their mobile application in is secure.A developer might design their app for the web and then create a mobile version with a nice interface that hooks into an API. This option will largely minimize the attack surface of the mobile application itself. But that doesn’t make it inherently secure.The app’s users will still typically pass-through authentication to log into the app on their phone. And how they do that is highly sensitive. If the login process isn’t secured, they risk leaving, credentials or plain text data on the device that potentially could be stolen.There are also security risks when pushing and pulling data from the application, either through the API or through other hooks that have been created.For example, there are a lot of older apps that are entirely API-driven and use more legacy means of communicating. If those apps are leaving fragments of data on the device, that data can be at risk. Depending on where you set things to be stored and downloaded, these fragments of data could be visible to other applications on the device.Developers might also be storing tokens on the device that allow access and not be expiring properly. Somebody can then steal those tokens from the device and use that to authenticate as the user at a later time because the tokens aren’t expiring fast enough.But developers aren’t the only ones holding on to this false sense of security. Consumers also believe that the iPhone or Android device they’re using to run these application is unquestionably secure. But we know that’s not always the case. In fact, sometimes it can even be riskier than a desktop, depending on the user, the use case, nature of the application right there.

The biggest mobile security threats

Most of the time, the biggest mobile security risks are malicious apps that seem innocuous – like a game add-on or a sticker app. Once a user downloads these apps from the app store, the malicious app can then exfiltrate data from other legitimate applications on the device.One famous example of this is a flashlight application that asked for access to a ton of data, including the user’s GPS location.If a developer doesn’t properly secure their application’s data, and a user grants access to one of these malicious application, it can leave their sensitive information exposed.

The changing tide of mobile security

Mobile is still a relatively secure environment – but breaches are becoming more prevalent. While attacking a mobile device itself takes more know-how than attacking, say, a Windows desktop, we are seeing an increase in organized crime and nation-state attack groups targeting mobile devices these days.Why? Well, there are two reasons.One is obviously because we are using our mobile phones more and more as daily computing devices.And the other is because we’re also using them as a source of trust. We believe implicitly that our devices are secure. Web developers do. Users do. We all assume our phones that use things like two-factor authentication are inherently locked down from breaches.

Reverse engineering an application

But while finding vulnerabilities in mobile applications isn’t easy, it’s also not impossible. When a developer codes an application for the web, all that source code is obfuscated. It all exists in that application that’s running it, but the average person can’t just download and access the code.

However, anybody can get the app’s APK or the IMS file. Using a jailbroken device, they can reverse engineer the code, unpack it, and decrypt it.

And then you can look at the application code and more often than not, uncover a risky coding practices, like hard-coded tokens, hard-coded SSH keys, hard-coded crypto keys, hard-coded function passwords. And anyone could ostensibly get access to this if they wanted to because the code hasn’t been developed securely.

Securing your mobile apps

Not sure if your mobile app is susceptible to cybersecurity attacks? Cycura provides research-powered, customized offensive cybersecurity services to organizations and governments of all sizes. We’re a scalable, responsive cybersecurity partner, ready to help you close gaps, reduce risk, and strengthen your security posture.

To learn more, set up a free discovery call for your organization.