Please fill the form below.
For sales queries, call us at:
If you've got powerful skills, we'll pay your bills. Contact our HR at:
Carrying an industry record of developing 100% hack proof applications come with a responsibility and a baseline guarantee that none of the digital solutions developed under our name would face security breach.
As a way to achieve that, Appinventiv’s Quality Assurance team are familiar with all the possible security risks which an app can face. Knowing the risks makes it easy to ignore pitfalls and write secure apps.
Helping us be on top of the game when it comes to assuring security is having a complete knowledge of OWASP secure coding practices (Open Web Application Security Project). It is an online community of security specialists who have developed free documentation, learning materials, and tools for building secure mobile and web applications.
Along with other things, they have also compiled a list of OWASP Mobile Top 10 security threats in mobile applications.
While the OWASP security practices document is fairly clear, it can sometimes be difficult for businesses to connect it from real-world cases.
In this article, we will give you a basic overview of Top 10 mobile security risks and give examples of the real world disclosed vulnerabilities for each of them. It will give you an insight into what we prepare for at Appinventiv when we work on your application.
Before looking into the risks, let us look into statistics.
NowSecure looked into the apps on Google Play store and App store identified that over 85% of apps violate one of the risks.
Of these applications, 50% have had insecure data storage and somewhere the same number of apps were working with insecure communication risk. Here’s a graph showcasing the percentage of occurence of the OWASP Mobile Top 10 risks
The category of OWASP security testing consists of the misuse of a device functionality or the instance of failure when using platform’s security controls. It can include platform permissions, Android intents, misuse of the TouchID, Keychain, etc.
Three iOS apps: “Fitness Balance app”, “Heart Rate Monitor”, and “Calories Tracker app” came into light for bypassing Apple’s Touch ID. They were asking users to use their fingerprint to get fitness information, while they were using it to charge money from the App Store.
OWASP consider it a threat when someone gets access to a lost/stolen mobile device or when malware or another repackaged app starts acting on the adversary’s behalf and executes action on mobile device.
An insecure data storage vulnerability usually lead to these risks:
Dating apps like Tinder, OKCupid, and Bumble have time and again been scrutinized for their insecure data storage practices. The security lapses present on these apps vary according to feasibility and severity and feasibility, can expose users’ name, login details, message history, and even location, in addition to other personal account activity.
When devising a mobile app, data is exchanged in client-server model. So, when the data is transmitted, it should first traverse the device’s carrier network and the internet. The threat agents could exploit vulnerabilities and intercept sensitive data while traveling across wire. Here are the different threat agents who exist:
The interception of sensitive data via communication channel would end up in a privacy violation, which can lead to:
Rapid7 security company disclosed several vulnerabilities attached with kids’ smartwatches. Those watches were marketed as ones used by parents for tracking their children and sending them messages or making calls on their smartwatch.
The watches were supposed to be contacted by approved contact numbers through the mode of a whitelist, but the company found that the filters were not even working. The watches even accepted configuration commands via text messages. It meant that a hacker could change the watch settings and put children at risk.
“You can identify where the phone or the child is, you can gain access to audio, or make phone calls to children,” said Deral Heiland, the IoT research lead at Rapid7.
Applying TLS/SSL for transporting channels is also one of the mobile app security best practices to consider when it comes to transmitting sensitive information and other sensitive data.
The threat agents who exploit authentication vulnerabilities do so via automated attacks which makes use of custom-built or available tools.
The business impact of M4 can be:
In 2019, a US bank was hacked by a cyber attacker who took advantage of the bank’s website flaw and circumvented the two-factor authentication that was implemented for protecting accounts.
The attacker logged into the system through stolen victim credentials and upon reaching the page where PIN or security answer had to be entered, the attacker used a manipulated string in the Web URL, which had set the computer as a recognized one. This enabled him to cross the stage and initiate the wire transfers.
The threat agents in this case are the ones who have the physical access of data which was encrypted wrongly. Or where a malware is acting on the behalf of adversary.
Broken cryptography generally result in these cases:
Sometimes ago an alert from DHS Industrial Control Systems’ Cyber Emergency Response Team and the Philips advisory warned users of a possible vulnerability in the Philips HealthSuite Health Android app.
The issue which was tracked back to inadequate encryption strength, opened the app to hackers who could get access to users’ heart rate activity, blood pressure, sleep state, weight and body composition analysis, etc.
In this case, the threat agents are able to access someone else’s application typically via automated attacks which use custom-built or available tools.
It can lead to following issues:
The Information security specialists at Pen Test Partners hacked Pandora, a smart car alarm system. In theory, the application is used to track a car, cut off the engine if stolen and lock it until police arrive.
On the other side of the coin, a hacker can hijack the account and get access to all the data and the smart alarm functionalities. Additionally, they could:
In these cases, untrusted inputs are passed by entities to method calls made in the mobile code. An effect of this can be technical issues which can lead to degradation of performance, heavy memory usage, and poor working front-end architecture.
WhatsApp last year patched a vulnerability that hackers were taking advantage of for installing surveillance malware called Pegasus Spyware on smartphones. All they had to do was place a WhatsApp audio call on the targeted phone numbers.
Within a simple few steps, hackers were able to get in the users’ devices and access it remotely.
Usually, in this case, an attacker exploits code modification via malicious forms of the apps hosted in the third-party app stores. They might also trick users into installing an application through phishing attacks.
An attacker typically downloads the targeted app from the app store and analyzes it inside their local environment with a suite of different tools. Following which, they are able to change the code and make the app function different.
Pokemon Go recently faced the security breach glances when it was found that users had reverse engineered the app to know the vicinity of the Pokemons and catch them in minutes.
Usually, a hacker looks at the extraneous functionality inside a mobile app in order for discovering the hidden functionalities in the backend systems. The attacker would exploit extraneous functionality from their own systems without any end-users involvement.
The idea of Wifi File Transfer app was to open port on Android and allow connections from the computer. The problem? An absence of authentication such as passwords, meaning, anyone could connect to a device and get its full access.