By Dmitry Vyrostkov, Head of Security, DataArt
Recent figures show that thus far in 2020, mobile applications have been downloaded more than 244 billion times, and 60% of digital media time was spent on smartphones and tablets. Increasingly, our daily lives depend on apps for communication, time management, banking and trading, shopping, and entertainment. According to Juniper Research, total transaction value in the mobile financial services market will rise from $580 billion in 2019 to $1 trillion by 2024. With such growth in the number of mobile applications and services, demand for securing devices and apps will also increase.
DataArt experts regularly carry out security analysis on mobile applications. This article summarizes the key security issues that have been found in iOS and Android applications during our security assessments.
Insecure data storage was by far the most common security risk identified within the applications tested, with over 80% of those examined found to exhibit this risk, which threatens the privacy and security of legitimate users. Examples included the storage of credentials and sensitive data in plain text databases, which increases the risk of a leak.
Another common mistake was the usage of insecure snapshots. These are images that the operating system takes to remember the application’s current state prior to exiting. Sensitive data such as credit card numbers or private messages should be masked when creating these snapshots to avoid data leakage, but about 75% of applications failed on this count.
Every third vulnerability in Android mobile applications stems from configuration flaws. For instance, enabled backup makes it possible to create a copy of application data that was created and managed by users. This vulnerability can be used by an attacker to fetch application data even on a device without root privileges.
Just over a third of applications were found to exhibit vulnerabilities related to insecure data transmission and incorrect implementation of session management. Examples of insecure data transfer include missed extended validation Certificate checks and the use of insecure HTTP communications. It should be noted that this flaw is far less common in iOS, probably due to the protective measures implemented in iOS 9. Weak session management often appears in tap applications due to missed session expiration.
We have found that about every fifth application contains insecure inter-process communication. The IPC technique is often used by applications that share their functionality with other apps on the same device. This issue potentially enables malicious applications to remotely access data processed within vulnerable software.
Weak anti-reversing defenses, bad code quality, and bad application build settings were among other common flaws. For example, we often found that the following techniques were missing:
- root privilege detection
- emulator detection
- debugger detection
- files integrity checks
- source code obfuscation.
Nearly all the mobile applications had related server components, which also contained various vulnerabilities.
The majority of server-side components contained configuration flaws, such as disclosure of sensitive information in error messages or services fingerprinting in HTTP headers and in API configuration files. In addition, almost all the servers had weak cryptographic protocol configurations. In particular, they supported deprecated SSL/TLS versions and weak cipher suites, providing an opportunity for network attackers to decrypt client-server communication.
Approximately half of the applications with server-side components had insufficient authorization or authentication issues. Examples of common authentication weaknesses included insecure user registration and password recovery functionality, weak password policy, possibility of user enumeration and password brute-force attacks, flawed multi-factor authentication mechanisms, and others. Authorization issues allow attackers to read and modify sensitive data, either by reading the data directly from a data store that is not properly restricted or by accessing poorly protected, privileged functionality to read and modify data. Without any hesitation, we identify these vulnerabilities as those presenting the greatest risk to our clients.
Information leaks related to the server components were another widespread problem, and one with serious consequences. For instance, we occasionally observed disclosed session IDs, full names, and phone numbers of other persons in the servers’ responses. We also found rare cases in which servers were vulnerable to classic injection attacks, such as SQL or command injection, path manipulation attacks, and others.
In total, high-risk issues were found in about every third iOS application and about every second Android application. As many as 90% of all vulnerabilities discovered could be exploited using malicious applications without any need for physical access to the device. The main issues were connected with insecure data storage, different misconfigurations both on client and server sides, and weak user roles management.
Summarizing the results, it is possible to assert that mobile developers often neglect security, which can lead to grave consequences, including financial losses for users and reputational damage to businesses.
About the author:
Dmitry Vyrostkov joined DataArt in 2006 as a software developer/team leader, contributing to projects with extensive security requirements. Dmitry also worked as a technical architect, solution architect, and a subject matter expert in numerous enterprise projects, designing and building complex solutions in finance, healthcare, and the travel & hospitality sectors. In 2012 Dmitry established DataArt’s Security practice, a team of security experts to consult with clients and help DataArt’s development teams implement the best security practices. Dmitry promotes the group’s services to internal and external audiences. In 2019, the group generated over $1M in security services revenue. Dmitry also coordinates sales activities, projects, and resources, and oversees service quality and deliverables. Prior to joining DataArt, Dmitry worked as a developer and team leader at Relex, one of the leading software development companies in Voronezh. Dmitry holds an M.S. in applied mathematics, informatics & mechanics from Voronezh State University.
DataArt is a global software engineering firm that takes a uniquely human approach to solving problems. With over 20 years of experience, teams of highly-trained engineers around the world, and deep industry sector knowledge, we deliver high-value, high-quality solutions that our clients depend on, and lifetime partnerships they believe in.