It is a well-documented fact that information transfer over the internet is transitioning over to mobile devices at an alarming rate. Here are some links that provide a high level statistical view of my claim (often, some simple Google-fu will yield the same results):
- Mobile Applications Downloads Approached Eight Billion in 2010: http://www.itu.int/ITU-D/ict/newslog/Mobile+Applications+Downloads+Approached+Eight+Billion+In+2010.aspx
- Global Mobile Statistics 2011:http://mobithinking.com/stats-corner/global-mobile-statistics-2011-all-quality-mobile-marketing-research-mobile-web-stats-su#m-banking
- 170 Million Mobile Subscribers Will Make Domestic Person To Person Payments in 2011:http://www.abiresearch.com/press/1454-170+Million+Mobile+Subscribers+Will+Make+Domestic+Person+To+Person+Payments+in+2011
This growing adoption rate of mobile devices for various personal and business needs has an enormous pressure on software shops developing mobile applications to meet extremely tight first to market deadlines. This often leads to a strict development schedule that leaves security requirements either compromised or omitted.
After numerous security assessments of mobile applications on both iOS and Android platforms, a pattern of common security weaknesses begin to arise. My goal with this article is to identify the pitfalls in order to assist mobile application development teams.
Rich Client Side Business Logic
One of the primary successes of mobile applications, if not carefully implemented, tends to include an array of security vulnerabilities. Rich client applications offer users direct access to a particular service, while maintaining a simple and attractive user experience. Incorporating business logic such as transactional authentication, session timeout and password verification into the client application can often lead to unexpected security pitfalls. Consider the following SOAP response from the server that forces the mobile client application prompt for an additional password:
A malicious attacker could use a simple HTTP proxy that captures requests and responses and alter the response from the server to bypass security controls built in by the application’s logic. The following shows the modified response:
Sensitive Data Stored on Mobile Devices
With the growing storage space on today’s mobile devices, caching application information on the local device is an option exercised by mobile applications. Given the performance overhead added by repeatedly encrypting and decrypting the sensitive information, mobile applications often default to storing the information in clear text. Android and iOS platforms are susceptible to rooting and/or jailbreaking, which gives users unrestricted access to the underlying filesystem. Using this root level access, malicious users can easily retrieve the sensitive information stored on the device from application’s sandbox.
When choosing to store sensitive data on mobile devices, it is important to encrypt it. iOS provides a “data protection” API which encrypts data with a key generated from the users passcode, although there seem to be some concerns about it from security researchers (http://www.encryptsolutions.com/2011/01/25/apple-and-their-elusive-full-disk-encryption-solution/). Android provides APIs for cryptographic primitives, but no ready-made protocol to encrypt data with a key generated from the password. Therefore, developers may find themselves having to make decisions about what to use to generate keys, how to use them, and where to store them. Often developers make sure that they use strong cryptographic algorithms to encrypt data, but choose poor key management protocols. When keys are stored on the device, shared between users, or hardcoded, they do not provide adequate protection to data at rest. It’s important to choose strong protocols, not just strong algorithms, when encrypting sensitive data stored on mobile devices.
Depending on Client Side Data Validation
Relying solely on client side data validation is a security weakness that has been beaten to death by security professionals across all domains. Given the market pressures discussed above, this elusive data validation weakness has crept back into application development in the mobile application space. A plethora of mobile applications allow users to access their service from both the mobile device and the web. This convolutes the application’s data path and introduces a significant list of abuse cases and attack vectors when performing a threat model. Malicious users can easily bypass client side data validation by using an HTTP proxy between the mobile application and the server. Given that there is a possibility for user supplied information to be displayed over a web browser, relying purely on client side input validation can lead to cross platform attacks.
Poor Local Session Management
Developers often need to timeout the mobile client application when it is idle for a certain period of time to prevent access to sensitive information or actions when an attacker has gained access to a mobile device. This “timeout” may include logging the user or out, putting up a password screen, or deleting sensitive temporary files. Malicious users can sometimes circumvent these password screens by modifying the date on the phone or tampering with files stored on the device. Local session management and timeout schemes that rely on user modifiable data can be exploited by an attacker with access to the device.