Most frequent app vulnerabilities

Authentication and authorization

Limit the number of unsuccessful attempts . The usual practice is to allow 3 to 5 attempts before the user is locked out of the application and needs to contact support to restore their credentials.

. The usual practice is to allow 3 to 5 attempts before the user is locked out of the application and needs to contact support to restore their credentials. Avoid predictable user IDs . When the system generates user IDs according to, for example, the date of creation and they contain this date (such as, NNNNN01092018, NNNNN02092018), it is easier for the attackers to find the valid IDs.

. When the system generates user IDs according to, for example, the date of creation and they contain this date (such as, NNNNN01092018, NNNNN02092018), it is easier for the attackers to find the valid IDs. Use the same error message in all cases of invalid credentials input . The user enters their credentials on the Sign in , Log in and Forgot password pages. Make sure that all these screens display the same error message no matter which part of the credentials is invalid. If the application responds with “Your password is invalid”, the attackers can guess that they have the username right. If, however, the message is “Your username or password is invalid” at all times, you will not give away any unnecessary information.

. The user enters their credentials on the , and pages. Make sure that all these screens display the same error message no matter which part of the credentials is invalid. If the application responds with “Your password is invalid”, the attackers can guess that they have the username right. If, however, the message is “Your username or password is invalid” at all times, you will not give away any unnecessary information. Implement a strong password check . Make your application validate the passwords created by the users for strength – the usual practice is to accept passwords of sufficient length (8 characters at the minimum) containing letters, numbers and special characters.

. Make your application validate the passwords created by the users for strength – the usual practice is to accept passwords of sufficient length (8 characters at the minimum) containing letters, numbers and special characters. Implement multi-factor authentication. With the current level of cyber crime, simply entering of a password may be no longer enough. To make the login process more secure, many applications use multi-factor authentication. It consists of “something that you know” – the password, “something that you have” – a one-time code or the mobile device, and “something that you are” – a biometric entry, such as a fingerprint or a retina scan. In the most secure cases, app authentication may include all three; however, the most common practice is generating a one-time code that must be entered to log in to the application.

Session expiration

Include the session expiration function . Log the user out forcefully when no activity has been detected for the specified time. This time should be as short as reasonably possible.

. Log the user out forcefully when no activity has been detected for the specified time. This time should be as short as reasonably possible. Make your server invalidate user IDs upon session expiration or user logout. When the user logs in again, new IDs will be generated.

Data access

Encryption issues

Connection issues

Use of third-party libraries and APIs

Client platform choice

New threats

You can never be too careful

In 2018, nobody takes web and mobile app security lightly. When WannaCry and Petya were on the loose attacking thousands of computers all over the globe and causing millions of dollars worth of damage, the world saw the real depth of the problem. Today, application security is not a matter of “do we need it or not?”. It is the matter of “is it strong enough or not?”.In DA-14, we implement security mechanisms in every mobile and web application we develop. Security is among the key features of every project we work on and we never cut any corners in the matters of security, even when we are looking for ways to reduce the app development cost.We would like to share our views on the application security and mobile app security best practices that we apply. We always aim at creating a safe and protected environment for both the app owners and users, and implement security measures without compromising the core functionality of the application.Of course, cyber criminals are getting increasingly cunning, with new types of threats appearing constantly. However, by knowing the places where cracks may appear in your armor, you can plan your security measures more effectively.Together with explaining the possible vulnerabilities, we will include our recommendations for preventing them.Authentication must be able to verify that the user is who they claim to be, while authorization is making sure that they are permitted to do what they are trying to. The vulnerability appears when the users' details are not protected properly or when the authentication procedure is not strong enough.Attacks through the authentication and authorization procedures can occur, for example, through brute forcing – guessing the username and password by trying possible values until the valid combination is found.Developers can improve the security of mobile applications in the context of authentication by implementing certain mechanisms that prevent brute forcing:This feature may contain vulnerabilities of two types — the application may have no session expiration at all causing the session to remain open indefinitely even when there is no user activity, or the server may process the logout action improperly. In both cases, user IDs may be intercepted by attackers.You can implement the following measures to protect your sessions:To a certain extent each application requests access to user's data. Obviously, the more types of user data the app requests — contacts, personal information, photos, location, calendar — the easier it becomes for the attackers to steal it.Here the rule of thumb is to operate on the “need to know” principle. In other words, don't ask for more than you absolutely need for the application to function. Always inform your user explicitly about the level of access you request and make them actively grant it. Never pre-fill check boxes with “Yes”; let the user check them on their own.Besides protecting your users' data, this approach may help you avoid legal claims that may eventually arise for improper handling of the requested data. For businesses operating or located in the EU, this is now especially important with GDPR in force.Lack of proper encryption endangers application data during communication. When data is sent in plain format without encryption, the possibilities of theft or compromise are much higher.To secure app data during communication, always use encryption at both ends of the communication channel (the so-called end-to-end encryption), and en route so that any data intercepted during transfer will be indecipherable. Use the most advanced encryption protocols available, such as SHA-256.If the application uses a connection without SSL/TSL certificate validation or with improper validation, the data sent over such connection may be compromised.To make your app secure, we recommend that you configure it to always verify that the certificate is issued by a trusted provider. When a reliable SSL (Secure Socket Layer) certificate is present, it encrypts the data that is sent between the server and the client, preventing its theft or unauthorized use.There are quite a number of reputed SSL certificate providers on the market with different conditions and pricing plans. If you choose one of the top companies, such as Comodo or GeoTrust , you can be sure that you will get sufficient protection of your application and will be able to guarantee data security to your users.While using publicly available libraries is a common practice, they can pose a threat due to vulnerabilities in their code or outright malicious actions inserted by their creators. APIs used to integrate third-party services into an application can also be vulnerable to attacks and provide a way to steal access to your app.The remedy is simple – use tried-and-tested third-party components and authorized APIs. Implement strict policies for using external components and communicate them to all developers in the team.With the popularity of mobile devices, many startups begin by launching a mobile app and then move to other platforms afterwards, such as desktop or web apps. When you expand your platform options, make sure your security measures are sufficient. The same applies to starting with one mobile platform and then adding another.Writing a secure iOS app does not mean that the same app will be similarly secure on Android or web. When you create an Android app, use special Android security best practices to protect the data on both platforms. Evaluate the cloud services and databases that you use in your mobile app for use with web and desktop applications.Sad as it may seem, cyber crime is evolving as fast as the honest technology, and sometimes even faster. Even if you have applied the most effective security mechanisms, this does not mean that you can rest on your laurels thinking that your application is forever protected. New threats and risks appear all the time. For example, if your app is designed to work with IoT devices, you should always be on alert for vulnerabilities in each particular device that you add to your “supported” list.The general recommendation in this context is to be proactive. Follow the news, stay in touch with the community and, most importantly, test your app constantly. Repeated testing for various vulnerabilities helps to identify them sooner so you can update the app accordingly.When you roll out a patch with a security update, inform your users explaining its importance via all possible channels. Make security updates mandatory to ensure that you reach as many instances of your application as possible.Any software product, no matter how large or small it is, should have sufficient security. Security measures must always be planned as the top priority, never on the leftover principle. Set your mobile app security standards from the very beginning and stick to them. At the same time, never stop following the news and testing your app to be able to respond quickly to any possible threat.We hope our tips on securing your mobile applications will help you plan your protection mechanisms in the best way. Once you have established strict policies and high standards of security maintenance, you will always be on alert. If you need a more profound consultation on applying specific security mechanisms, contact our team to discuss them in more detail.