42Gears Apps Secured Against OWASP Mobile Top 10 2016 Risks

The Open Web Application Security Project (OWASP) is a nonprofit foundation and an online community that produces articles, methodologies, documentation, tools, and technologies in the field of application security and aims to improve software security. 

OWASP (Open Web Application Security Project) Mobile Top 10 2016 lists ten different types of security risks that mobile apps face. This list sets guidelines and best practices for organizations to build, test, and host secure mobile applications.

According to NowSecure, 85% of mobile apps violate at least one or more of the OWASP guidelines. Adding onto this, a report published in 2019 by security firm Positive Technologies found high-risk vulnerabilities in 38 percent of iOS and 43 percent of Android applications.

Here is the list of the top ten mobile risks as identified by OWASP:

• M1. Improper Platform Usage Risks
• M2. Insecure Data Storage
• M3. Insecure Communication
• M4. Insecure Authentication
• M5. Insufficient Cryptography
• M6. Insecure Authorization
• M7: Client Code Quality 
• M8. Code Tampering 
• M9. Reverse Engineering
• M10. Extraneous Functionality

Let’s take a look at what each of these risks means:

M1: Improper Platform Usage Risks

This means misusing an operating system feature or failing to use platform security controls, such as Android intents, platform permissions, misuse of TouchID/Keychain, and more. This may present opportunities of “Intent Sniffing,” by allowing malicious apps to read data mentioned in the Intent (ultimately leading to Android Intent exploitation), lead to password exploitation as a result of compromised Keychain encryption, or expose the TouchID authentication process.

M2: Insecure Data Storage

This  refers to easy ways in which malicious sources can access vulnerable data on mobile devices, like gaining access to a compromised device using physical options (by connecting the device to a computer or using malware or repackaged apps). Insecure data storage and a compromised file system can potentially expose the data stored on the application sandbox, SQL databases, log files, XML data stores, binary data stores, and cookie stores through easily accessible means such as keyboard caches, pasteboard caching, or URL caching.  

M3: Insecure Communication

Any communication taking place with mobile applications goes through different mediums over the internet. Malicious entities can intercept this communication and read the data being transmitted through compromised networks, proxy servers, or  malware by exploiting insecure and vulnerable apps. Insecure communication in the absence of thorough monitoring of outbound and inbound traffic to a mobile device and its apps, including via TCP/IP, Wi-Fi, or Bluetooth can lead to information leakage. Improper SSL/TLS authentication can also compromise app-server communication, by making information exchange more vulnerable to network and man-in-the-middle (MITM) attacks. 

M4: Insecure Authentication

This includes bypassing authentication protocols, thus allowing unintended or ill-intended entities access to mobile devices or apps installed on them. This can happen as a result of non-existent or poorly-implemented authentication processes – a vulnerability that can be manipulated by malware or botnets that interact with the server without communicating with  applications directly. These kinds of risks are possible if developers allow accessible, easy and weak input form factors for passwords for both offline and online authentication sessions. 

M5: Insufficient Cryptography

This refers to weak encryption/decryption methods or insufficiencies in the algorithms that trigger encryption/decryption processes. As a result of inefficient or flawed encryption/decryption methods, mobile devices and app data become vulnerable to malicious activities (by means of compromised networks or apps). 

Though current mobile device platforms encrypt app codes using certificates, simply relying on these default encryption processes could increase the risk of code manipulation. There are numerous tools that can help bypass app and device encryption and steal the data stored in apps and devices. Mishandling encryption keys or storing them in the same directories can increase the chances of hackers accessing the keys and decrypting the encrypted data manifolds.

M6: Insecure Authorization

A weak authentication scheme lets malicious entities fake or bypass authentication by submitting service requests to a mobile app’s backend server and anonymously executing certain functionalities. By exploiting authentication vulnerabilities, insecure authorization can allow threat agents (as anonymous users) to access protected resources on mobile devices and apps and perform activities that can expose sensitive information. Insecure authorization can also let attackers exploit vulnerabilities and gain access to application databases or files under the guise of an intended device user, execute admin commands, and even get control of other underlying authorizations. This could lead to unauthorized access to data and information theft, to list a few.

M7: Client Code Quality

This refers to following poor or inconsistent coding practices while coding mobile applications, which makes it easy for malicious entities to use third-party tools to perform static analysis or fuzzing. Poor code quality can also cause performance issues, high memory usage, format string vulnerabilities, and various other code-level mistakes that allow malicious code to be executed on mobile devices, and buffer overflow.

M8: Code Tampering

Tampering with the code of an app allows ill-intended users to gain unrestrained access to the app, and sometimes, even the whole device. Tampering consists of duplicating an application, adding one or several back doors to its code, re-signing it and publishing it to third-party app stores. These apps act as gateways for hackers to change system APIs, add malicious foreign codes, and install spyware to steal data or user information, among other risks. 

M9: Reverse Engineering

Reverse engineering is one of the most common risks, wherein hackers analyze the final core binary within the app and identify the original string table, source code, libraries, and algorithms using binary inspection tools. This can reveal information about backend servers and expose ways to modify codes, which can impact server security and compromise the data stored on mobile devices and installed applications. Apart from compromising backend systems, this can also lead to intellectual property theft, enabling app competitors to easily copy an app’s functionalities and features.

M10: Extraneous Functionality

This is a common security weakness in mobile applications. This refers to the extraneous app codes and functionalities that are left behind when application development is over. A study of such functionalities can give out detailed information about the backend architecture and can allow the execution of unauthorized high-privileged actions in an application. This presence of such extraneous functionalities can expose information related to databases, user details, permissions, and authentication processes.

42Gears’ applications have been audited, tested, and certified to be secure from all the ten risks and vulnerabilities listed by OWASP, protecting the integrity of the devices on which they are installed.

To learn more about 42Gears’ commitment to security, write to us at sales@42gears.com.