Mobile App Vulnerabilities: Security Best Practices & Mitigation

Verified

Added on 2023/06/11

AI Summary

This report examines the vulnerabilities inherent in mobile applications across various layers, including the mobile network, hardware, operating system, and application layers. It discusses common risks such as insecure data storage, insufficient data protection during transmission, data leakage, and improper authentication. The report also explores vulnerabilities like injections (SQL and cross-site scripting) and their potential consequences. Mitigation strategies and best practices are suggested, including enforcing multi-factor authentication, using SSL certificates, implementing different domain oaths, limiting information exposure through pagination, and sanitizing input parameters. The importance of proper logging, auditing, and cryptography is emphasized to ensure robust mobile application security. Desklib provides a platform for students to access this document and other solved assignments for their studies.

Running head: MOBILE APPLICATION VULNERABILITIES 1
A Study on Mobile Application Vulnerabilities and Mobile Application Security Best Practices
Name Surname
University
Course
May 30, 2018

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

MOBILE APPLICATION VULNERABILITIES 2
A Study on Mobile Application Vulnerabilities and their Mitigation
Article Reference
Basavala, S. R., Kumar, N., & Agarrwal, A. (2013). Mobile Applications -Vulnerability
Assessment Through the Static and Dynamic Analysis, 2013(Cac2s).
Summary
Over the past decade, we have observed a massive adoption of technology in all sectors
of our lives. Mobile technology has greatly influenced our lives, and over the decade, significant
advances have been towards its advancement. Mobile applications popularly known as apps are
types of applications designed to run on mobile devices.
Apps enable the mobile users to get the same service or even better as those available in
the PCs. Apps were first offered to improve productivity and the retrieval of information from
online platforms such as email, weather channels, and stock market sites (Dwivedi, Clark, &
Thiel, 2015). Eventually, their usage has spread to mobile gaming, GPS, automation, mobile
banking, ticketing and social usage. The usage of mobile applications has significantly been
adopted with the emergence of smartphones and has seen usage in sectors such as banking,
health, and e-commerce sites (Basavala, Kumar, & Agarrwal, 2013). This paper will outline the
inherent risks brought about by the usage of mobile applications by organizations and
individuals. Finally, we will look into ways in which these risks are mitigated through policy
change, use of security software and technical controls. These mitigation techniques all makeup
best practices, which are then applied at various levels of app development such as design,
source code development and the deployment of such applications.

MOBILE APPLICATION VULNERABILITIES 3
A mobile application often runs on smartphones, tablets, and mobile devices and are
usually available in a distributed platform or stores operated by the owner of the platform such as
Google Play store, Apple app store, Windows Phone Store and BlackBerry App world.
With the increase in the capabilities of mobile devices and the massive consumer
adoption, mobile applications have become integral in people’s lives. With the high usage of
such applications in areas such as banking and finance, attackers have found a new platform in
which to exploit and target a large population. The nature of deployment of such applications
makes it possible for an attacker to use a standard vector of attack to affect millions of device.
This is because mobile applications are usually in common platforms such as iOS, Android,
Windows, and BlackBerry (Basavala et al., 2013). For example, Android devices have adopted
an “open application” model in application development which has led to many apps which have
hidden functionality which can be used as attack vectors with devastating results. Many
companies have deployed mobile applications to be used in their operations and service intake
without further interaction save from the app. Companies such as Uber offer their services
entirely in an app and have reaped the rewards and benefits by use of applications.
Unfortunately, with the benefits and flexibility of mobile applications come insecurities
and complexities, which bring about fraud and security risks. While most platforms have
attempted to build secure platforms to deploy mobile applications, such apps are often designed
and coded using questionable and insecure practices leading to insecure applications (Basavala et
al., 2013). Application security is often an afterthought during application development; the quid
pro quo often lies in delivering functional applications within the given timelines at the expense
of app security.

MOBILE APPLICATION VULNERABILITIES 4
Results
Basavala et al., (2013) found risks in every layer of mobile devices such as mobile
network, hardware level, operating system layer and the application layer. Such layers often lead
to different levels of vulnerabilities in the applications. In the mobile network level, data sent to
and from applications can be intercepted and manipulated by an attacker. In the baseband layer
referred to as the hardware level, an attacker can use the buffer overflow attack and root the
device which enables him to control the mobile device and all the applications fully. For the
operating system, the kernel code often presents vulnerabilities which can be used to attack
applications (Cifuentes, Beltrán, & Ramírez, 2015). Jailbreaking, which is the removal of
manufacturer restraints usually, exploits the kernel code vulnerabilities. The application layer is
often the most exploited level when attacking mobile applications. Malicious code can be
injected in various applications and is used by an attacker to steal user data and initiate
transactions. This paper discusses some of the common vulnerabilities that are present in mobile
applications irrespective of the platform in which the application is sitting.
Insecure storage of data in client-side is a security risk, which is concerned with personal
identifiable information (PII), and other sensitive data stored in the mobile device of the user.
Developers must ensure that only data, which is critical for the application use, is stored in the
physical device (Dhillon, 2017). Such data must be protected through encryption and should not
lie in plain text. Platforms like iOS already provide encryption to data that lies on the devices
through methods like NSData and NSFileManager, which protect the mobile application from
the file system, and other protection attributes.
Insufficient protection of data during transmit is a risk which arises when data passes
through the transport layer. After the PII has been secured, the next vulnerability can occur when

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

MOBILE APPLICATION VULNERABILITIES 5
the application is transmitting data to the app server. Encryption must be used in this
communication channel. SSL certificates are used to establish an encrypted link between the app
server and the application. Data should be sent in a manner that guarantees that information is
not changed as it travels through the channels.
Data leakage is a common risk in mobile application which can lead to the loss of user
information such as social security number, emails, usernames, and passwords. Applications
developers should ensure that user data is protected on their servers. Previously mentioned data
protection methods such as encryption can be used to protect user data. In addition, the design of
the mobile application should have data protection in mind and not as an afterthought (Basavala
et al., 2013). With the enactment of policies such as the GDPR, data protection is now an area
which developers should take into consideration in the app development cycle.
Improper authentication between the client and the application server usually is a risk that
can lead to vulnerable applications. By design, the authentication mechanisms between mobile
applications and the server are often done on the server side. Secure authentication is necessary
to identify a mobile application user to prevent session hijacking uniquely.
Mobile applications should request permissions only when necessary. There are cases of
applications such as a basic calculator requesting for critical information such as GPS, contact
access, call log access and messaging. Is this an implementation of least privilege policy?
Applications should be practical with the information they request from the client device to
prevent exploitation of common vulnerabilities which can be used to exploit the app.
Additionally, the app server should not allow a user with fewer privileges to access other parts of
the application, especially in shared applications. Vertical privilege escalations can be used in a
case of an application such as Uber where a user can access the business side of the application

MOBILE APPLICATION VULNERABILITIES 6
and award themselves unlimited trips or clear charges on their part (Dhillon, 2017). Horizontal
escalation allows the users to bypass any authorizations which may be present in the app and the
case of a mobile banking application; it can allow a user to view the transactions and accounting
details of another user.
Vulnerabilities such as injections can lead to various risks depending on how they are
exploited. SQL injection is used to attack mobile applications that use SQLite database to store
data in the client’s device. Furthermore, cross site scripting (XSS) is another attack that results
from injection vulnerability. The attacks take advantage of the applications which trust user
inputs implicitly. XSS allows for remote code execution with devastating consequences.
Applications should be implemented such that they can only accept specific data format and
length. User input should only accept certain data types and should not accept special characters
such as single and double quote (', ") and backslash (\) which are used in SQL injection.
Discussion
Basavala et al., (2013) suggested best practices to counter with the vulnerabilities present
in mobile applications. For the general mobile application security, the paper suggested
enforcing ADFS 2.0 authentication or multi-factor authentication as an alternative to prevent
authentication vulnerabilities. The application server should also utilize SSL and a certificate
placed on the user device for authentication. Authentication vulnerabilities are also mitigated by
the use of digital certificates which provide a second authentication factor between the mobile
application and the app server.

MOBILE APPLICATION VULNERABILITIES 7
For vulnerabilities arising from authorization, Basavala et al., (2013) suggest the use of
different domain oaths to access static resources in the mobile application. This results in cookies
not being exchanged unless when needed by the mobile application. Access control policy path
must not be used in URls that have special characters in them so as to prevent injection attacks in
mobile applications.
For vulnerabilities arising from configuration management, the paper suggests limiting
information document model using techniques such as pagination. Similarly, JavaScript must be
placed at the bottom of the page. When a mobile application requests multiple requests from the
server, such requests are batched. Finally, third-party codes and API’s must never be used by the
application when it is sending data over the web.
Sensitive information leakage results due to multiple vulnerabilities. Keeping the data in
the device encrypted ensures that personal information is not leaked. For an application server
that shares data with other devices, for example, a gaming server, the data which has to be shared
must be replicated back to the server to assist in recovery in case of leakages. Lastly, HTML
extensions needed for mobile application functionality should be standard, and the developer
should replace the open sourced ones.
Session management, which can result in session hijacking, is integral in vulnerability
mitigation. Since many mobile devices disable cookies due to its configurations, mobile
applications should be developed to function without the cookies. For the applications that use
cookies, the application server should be configured not to trust the information it receives from
the app without proper authentication. The application should use a security token that is stored
locally on the mobile device to enable automatic sign-in. For mobile application, like a mail
application, which connects to a web site which has encryption but has links which point to the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

MOBILE APPLICATION VULNERABILITIES 8
untrusted certificate, agents should act and report to the application similar to when the resource
is unavailable. This prevents man-in-the-middle attacks, which exploits this vulnerability.
Input validation vulnerabilities are mitigated by sanitizing input parameters and having
blacklist and whitelist characters. Data entered in forms by mobile applications and then passed
to the backend for processing must have proper validations. Both the client and the application
server along with processing JavaScript separately to remove whitespace should validate input
data.
For vulnerabilities that exploit encryption, organizations, which have deployed mobile
applications, should use cryptography. For example, strong policy restrictions should be effected
to prevent storing manifest on the network used by the organization internally. Also, dynamic
resources must be cached by identifying them with a resource identifier which has a hash of the
identifier.
Mobile applications must have proper logging and auditing to check for new
vulnerabilities that may seek to abuse the application layers. For an application with
authentication, invalid access logs should always be monitored to ensure that strong mitigation
processes are in place for new vulnerabilities. For such an application, Qian, Luo, Le, & Gu,
(2015) recommend that a user should be identified, an event requested described and flagged.
Additionally, the IP used to access the mobile application should be logged together with the
timestamp.
With the analysis of the paper, it is possible to detect vulnerabilities which can lead to
data threats and other risks and come up with mitigating procedures. Developers of mobile
applications and organizations which use mobile applications must deploy and develop such apps
with security in mind. Vulnerability assessment and penetration testing should be carried out on

MOBILE APPLICATION VULNERABILITIES 9
mobile applications to find mitigate risks to information security. In addition to such manual and
automated tests, emulators should be used to test if the mobile applications are vulnerable.
Mobile applications deal with sensitive data and vulnerabilities should be patched in a timely
manner to ensure that information is secure. For large organizations that use mobile applications
as a service for example banks, outsourcing is an option to ensure the mobile applications are
secure.

MOBILE APPLICATION VULNERABILITIES 10
References
Basavala, S. R., Kumar, N., & Agarrwal, A. (2013). Mobile Applications -Vulnerability
Assessment Through the Static and Dynamic Analysis, 2013(Cac2s).
Cifuentes, Y., Beltrán, L., & Ramírez, L. (2015). Analysis of Security Vulnerabilities for Mobile
Health Applications. International Journal of Electrical, Computer, Energetic, Electronic
and Communication Engineering, 9(9), 999–1004.
Dhillon, G. S. (2017). Vulnerabilities & Attacks in Mobile Adhoc Networks ( MANET ).
International Journal of Advanced Research in Computer Science, 8(4), 2015–2017.
Dwivedi, H., Clark, C., & Thiel, D. (2015). Mobile Application Security.
Qian, C., Luo, X., Le, Y., & Gu, G. (2015). VulHunter: Toward discovering vulnerabilities in
android applications. IEEE Micro, 35(1), 44–53. https://doi.org/10.1109/MM.2015.25