Take action on these top 10 mobile application vulnerabilities now

By Patrick Fan, on


Security is a top concern for all organizations. Even if an app has the best user experience and features, it becomes useless if it cannot protect sensitive user information. And, with the unique nature of mobile devices and how they are used, there are some mobile application vulnerabilities that are not issues for traditional web applications.

The Open Web Application Security Project published the release candidate of the Mobile Top Ten 2016, and it’s a good starting point to revisit your existing security infrastructure and strategy to combat current threats. The items may seem surprisingly basic, but these common mobile application vulnerabilities exist for both small organizations and enterprises.

The following is a look at these 10 mobile application vulnerabilities so you can take action now:

1. Improper platform usage

Different platforms offer many great and convenient features, but improper use can lead to the loss of security control. The operating system always has its own security best practices, but there are often only a few apps that follow these guidelines. Others expose users to risk. Typical examples include Android intents and iOS URI Schemes, which enable applications to communicate with each other but may also allow users to access protected pages due to poor flow control. Other examples include storing security information in App Local Storage instead of the iOS Keychain.

2. Insecure data storage

For many mobile apps, data storage is the key to providing an engaging experience. SQLite and XML data store log files are commonly used and stored in plain format by default. The popularity of synced cloud data can put a lot of unprotected data on the device. This information may allow cybercriminals to extract sensitive information through malware or modified apps.

3. Insecure communication

Mobile apps are generally connected to the internet in order to maximize their benefits. Insecure communications from one point to another put the data at risk of exposure. This risk covers all communications technologies, including but not limited to TCP/IP, wifi, BLE and NFC. These causes could be due to poor handshaking, incorrect SSL versions, weak negotiation and plain text communication of sensitive assets. The SSL 3.0 vulnerability that makes POODLE possible in 2014 is a typical example.

4. Insecure authentication

Authentication is important for privacy protection. Unauthenticated users should be identified and rejected. It sounds simple, but problems can occur when an app fails to identify the user or maintain the user’s identity. Authentication through insecure channels or data storage results in attacking the authentication, even with a strong password. ID hardware such as UDID should also be avoided, as this hardware is likely to be stolen and the other user can pose as the original user.

5. Insufficient cryptography

You may think your system is secure as long as cryptography is in place. However, that’s not true, as not all cryptography is strong or advanced enough. Common failures include weak ciphers, small and predictable keys and the wrong type of cryptography.

6. Insecure authorization

Even with a good authentication mechanism, issues are still caused by improperly handled authorization. Users should not be able to access data that doesn’t belong to them. One common problem for mobile applications is only trusting client-side authorization. If the server-side authorization is not in place, users may bypass the entire authorization mechanism and execute unexpected requests.

7. Client code quality

One characteristic of mobile development is that part of the code is distributed and installed in the client’s mobile device, giving you limited control before the next update. Whenever problems happen in client-side code, it takes longer to address all the affected devices. Similar to traditional desktop applications, some vulnerabilities such as buffer overflows and format string vulnerabilities could occur and expose sensitive information.

8. Code tampering

Once an application is installed, it is located on that device. There are possibilities that an attacker can modify the code, access dynamic memory and replace system APIs. That means attackers may be able to change the application logic and bypass several client-side security controls, leaving the server at risk. If an application relies on client-side review of licensing, code tampering may lead to lost revenue as well.

9. Reverse engineering

Reverse engineering is not an unfamiliar term in the technology industry, and it can happen to any mobile application. Any valuable libraries, algorithms or assets may be retrieved through reverse engineering. There are a number of tools that make the process even quicker and simpler. An attacker can use a zip program to easily extract a typical APK file, allowing access to most of the APK results, including classes.dex.

10. Extraneous functionality

In order to make application debugging easier, many developers can create a hidden backdoor or super user mode in the development or testing stage. However, without a proper DevOps process in place, those backdoors may still exist in the production versions of the code, putting the entire system at risk. If the developers intentionally created the backdoor, they could be potential attackers in the future.

These are the top 10 mobile vulnerabilities. Some of them are surprisingly trivial, right? Please remember that security measures can only be enforced with proper policies, and most of these vulnerabilities are not purely technical issues.

About The Author

Patrick Fan

CEO / Founder of beNovelty

Patrick is currently co-founding a technology startup in Hong Kong in 2015. Patrick was a Certified IT and UX professional by IBM and HFI with exceptionally strong proven track records in banking, transportation and public sector projects - received over 10 recognition awards including "IBM Outstanding Contributor Award"‚Äč within 8 years. With his outstanding insight in mobile enterprise, he was entitled as "IBM Redbooks Mobile Enterprise Thought Leader" in 2014.

Articles by Patrick Fan
See All Posts