OWASP Mobile Top 10 2024 – Guide to Addressing the Most Critical Vulnerabilities for Mobile App Security
Intuitive features and sleek interfaces of mobile apps are essential for providing a high user experience and maximizing the revenue of developers. However, behind the flashy features and design, users' personal information can be easily exposed. While successful app launches and continuous operation are important, improving security is also a crucial resource for both the developers and users of the app.
However, a poor approach to security can lead to disastrous consequences. If incorrect mobile security is applied to an application, users may lose trust in the business. To address this, a worldwide not-for-profit organization Open Worldwide Application Security Project(OWASP) provides various free open-source tools, documents, and resources to help organizations strengthen their security posture. One of the most well-known projects is the OWASP Top Mobile 10, which plays a crucial role in raising awareness about application security risks.
Below are the top 10 mobile application vulnerabilities newly announced by OWASP in 2024.
OWASP Mobile Top 10 2024
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography
Then, let's have a detailed look of OWASP Mobile Top 10 2024.
(This is extracted from https://owasp.org/www-project-mobile-top-10/)
1. Improper Credential Usage
Code and scripts written by developers often require credentials (such as SSH keys and API tokens) and passwords to access various resources and interact with other applications and tools. To save time, developers frequently include sensitive information in the code. When such credentials are hard-coded, critical information is exposed to anyone who has access to this code.
To manage credentials securely, hard-coded credentials should not be used, and the following management measures are necessary.
-Proper Measures
* Encrypt credentials during transmission.
* Do not store user credentials on the device. Instead, consider using secure, revocable access tokens.
* Implement strong user authentication protocols.
* Regularly update and rotate any used API keys or tokens.
2. Inadequate Supply Chain Security
If the mobile app supply chain is vulnerable, hackers can insert malicious code into the codebase or modify code during the build process to insert backdoors, spyware, or other malware, allowing them to steal data, monitor users, or control mobile devices.
These threats particularly arise when using mobile apps developed by third parties or relying on third-party libraries and components. If app developers do not properly inspect or update third-party components, they can be vulnerable to such attacks.
-Proper Measures
* Implement secure coding practices, code review, and testing throughout the mobile app development lifecycle to identify and mitigate vulnerabilities.
* Ensure secure app signing and distribution processes to prevent attackers from signing and distributing malicious code.
* Use only trusted and validated third-party libraries or components to reduce the risk of vulnerabilities.
* Establish security controls for app updates, patches, and releases to prevent attackers from exploiting vulnerabilities in the app.
* Monitor and detect supply chain security incidents through security testing, scanning, or other techniques to detect and respond to incidents in a timely manner.
3. Insecure Authentication/Authorization
Hackers can exploit vulnerabilities in authentication or authorization systems to forge or bypass authentication in mobile apps. If the authentication system is flawed or missing, attackers can execute mobile functions anonymously from the backend server. When user identities cannot be verified, the attack source cannot be detected, exposing the risk directly.
To evaluate mobile app security, it's crucial to understand the difference between authentication and authorization. Authentication identifies individuals, while authorization verifies whether they have the necessary permissions for specific actions. The following are examples of insecure authentication and authorization in mobile apps.
-Insecure Authentication
* Anonymous Backend API Execution
* Local Storage of Passwords or Shared Secrets
* Weak Password Policy
* Usage of Features like FaceID and TouchID
-Insecure Authorization
* Presence of Insecure Direct Object Reference (IDOR) vulnerabilities
* Hidden Endpoints
* When the app transmits user roles and permissions to the backend system
-Proper Measures
* When migrating a web application to mobile, authentication requirements must align.
* All authentication requests should ideally be handled on the server side.
* If client-side data storage is necessary, encrypt the data using securely derived encryption keys from the user's login credentials.
* Users should be encouraged not to store passwords on their devices.
* Authentication and authorization control should be strengthened on the server side.
* When performing local authentication or authorization checks in an offline environment, local integrity checks should be conducted to detect unauthorized code alterations.
* The backend system should independently verify the permissions and approvals of authenticated users. Additionally, assuming that all client-side authentication can be bypassed, reinforce server-side authentication and authorization activities whenever possible.
4. Insufficient Input/Output Validation
If mobile apps fail to properly validate data from external sources such as user input or network data, they may be vulnerable to attacks specialized for the mobile environment, such as SQL injection, command injection, and XSS attacks. Hackers can gain access to the system and execute unauthorized code within the app or extract data without permission, potentially gaining control over app features and the entire mobile system.
-Proper Measures
* Input Validation: Validate and sanitize user input using strict validation techniques. Implement input length restrictions and reject unexpected or malicious data.
* Output Sanitization: Properly sanitize output data to prevent cross-site scripting (XSS) attacks. Use output encoding techniques when displaying or transmitting data.
* Context-Specific Validation: Perform specific validation based on data context (e.g., file uploads, database queries) to prevent attacks like path traversal or injection.
* Secure Coding Practices: Follow secure coding practices, such as using parameterized queries and prepared statements to prevent SQL injection.
* Regular Security Testing: Conduct regular security assessments, including penetration testing and code reviews, to identify and address vulnerabilities.
5. Insecure Communication
Mobile apps exchange data with one or more remote servers. Typically, mobile devices utilize various communication technologies such as TCP/IP, WiFi, Bluetooth/Bluetooth-LE, NFC, audio, infrared, GSM, 3G, SMS, etc., to transmit data. However, if the local network is compromised or if malicious code is inserted into network devices or mobile devices, it can lead to various damages such as account hijacking, identity theft, leakage of Personally Identifiable Information (PII), etc.
One particularly noticeable feature is the exchange of sensitive data (encryption keys, passwords, personal user information, account details, session tokens, documents, metadata, binaries, etc.) packaged for interchange between devices. In such cases, there's a risk of some data being intercepted.
-Proper Measures
* Use industry-standard encryption products with appropriate key lengths. Use certificates signed by trusted CA providers and do not accept invalid certificates (self-signed, expired, untrusted roots, revoked, incorrect hosts, etc.).
* Do not transmit sensitive data through alternative channels (e.g., SMS, MMS, or notifications). If possible, apply an additional encryption layer before sensitive data is provided over the SSL channel. In the event vulnerabilities are discovered in future SSL implementations, encrypted data serves as a secondary defense against confidentiality breaches. During the development cycle, instead of redefining SSL verification methods to allow untrusted certificates, use self-signed certificates or a local development certification authority (CA).
6. Inadequate Privacy Controls
Protecting Personally Identifiable Information (PII) involves safeguarding information such as names, addresses, credit card details, emails and IP addresses, as well as information on health, religion, sexual preferences, and political opinions. Hackers exploit this information to impersonate victims for fraud, misuse payment data, threaten victims with sensitive information, or destroy or manipulate important victim data. To obtain PII, hackers must first breach other levels of security such as networks, file systems, or log access.
-Proper Measures
* Minimize the PII being processed.
* Do not store or transmit PII unless absolutely necessary.
* Important data is protected through appropriate authentication and authorization.
7. Insufficient Binary Protections
App binaries may contain critical information such as commercial API keys or hard-coded encryption secrets. Additionally, the code within the binary may hold significant value on its own due to containing important business logic or pre-trained AI models. Hackers can manipulate the app binary not only for information gathering but also to gain free access to paid features or, in the worst-case scenario, modify popular apps to redistribute them as apps containing malicious code.
All apps are vulnerable to binary attacks. Binary attacks become particularly severe if the binary contains sensitive data or algorithms hardcoded within it, or if the app is highly popular. While obfuscation, encrypted encoding of native code (on Android), or similar measures can protect the app, they are never foolproof defenses.
-Proper Measures
* Reverse engineering :To prevent reverse engineering, attackers must be unable to understand the app binary. This can be addressed by employing code obfuscation and code encryption techniques.
* Breaking security mechanisms :Hackers need to understand the overall flow of app control to bypass security checks. Therefore, encryption and obfuscation can be highly beneficial. Additionally, local security checks should be reinforced on the backend. For example, resources required for protected functions should only be downloaded if verified locally and on the backend. Finally, integrity checks detect code tampering and detect app redistribution and modifications.
8. Security Misconfiguration
It refers to the improper configuration of security settings, permissions, and controls in mobile apps that can lead to unauthorized access. For example, using default configurations without reviewing security settings, permissions, and default credentials, or using unencrypted communication channels, neglecting security updates or patches, insecure file provider path settings, and more.
-Proper Measures
* Secure default configurations: Ensure that default settings and configurations are properly secured and do not expose sensitive information or provide unnecessary permissions.
* Default credentials: Refrain from using hardcoded default credentials.
* Insecure permissions: Avoid storing application files with overly permissive permissions like world-readable and/or world-writable.
* Least privilege principle: Request only the permissions necessary for the proper functioning of the application.
* Disable Debugging: Disable debugging features in the production version of the app.
- * Disable backup mode (Android): By disabling backup mode on Android devices, you prevent the inclusion of app data in the device’s backup, ensuring that sensitive data from the app is not stored in the device backup.
- * Limit application attack surface by only exporting activities, content providers and services that are necessary to be exported.
9. Insecure Data Storage
If data isn't securely stored, it becomes exposed to various attacks from hackers, ranging from direct data extraction to intercepting sensitive information. Therefore, encryption, secure transmission protocols, and thorough security measures are essential to prevent hackers from easily accessing sensitive data.
-Insecure Data Storage
* Lack of Access Controls
* Inadequate Encryption
* Unintentional Data Exposure
* Poor Session Management
* Insufficient Input Validation
* Cloud Storage Misconfigurations
* Third-Party Library Vulnerabilities
* Unintended Data Sharing
-Proper Measures
* Use Strong Encryption : Implement robust encryption algorithms and practices to protect sensitive data both at rest and in transit. Utilise industry-standard encryption algorithms and ensure that encryption keys are securely stored and managed.
* Secure Data Transmission: Utilise secure communication protocols (e.g., HTTPS, SSL/TLS) to protect data during transmission between the mobile application and backend servers. Avoid sending sensitive data over unsecured channels.
* Implement Secure Storage Mechanisms: Store sensitive data in secure storage locations that are inaccessible to unauthorised users. Use platform-specific secure storage mechanisms provided by the mobile operating system, such as Keychain (iOS) or Keystore (Android).
* Employ Proper Access Controls: Implement strong access controls to restrict unauthorised access to sensitive data. Authenticate users securely, enforce role-based access controls, and validate user permissions before granting access to sensitive information.
* Validate Input and Sanitize Data: Implement input validation and data sanitization techniques to prevent injection attacks and ensure that only valid and expected data is stored. Validate user inputs to mitigate the risk of malicious code injection or unintended data leakage.
* Apply Secure Session Management: Implement secure session management techniques, such as using randomly generated session tokens, setting proper session timeouts, and securely storing session data on the client and server sides.
* Regularly Update and Patch Dependencies: Keep all libraries, frameworks, and third-party dependencies up to date, as they may contain security vulnerabilities that could lead to insecure data storage. Regularly apply security patches and updates provided by the respective vendors.
- * Stay Informed: Stay up to date with the latest security threats and vulnerabilities in the mobile application landscape. Monitor security forums, security advisories, and mobile platform updates to ensure timely mitigation of emerging risks.
10. Insufficient Cryptography
Lack of sufficient encryption can result in data breaches, unauthorized access to user accounts, compromise of confidentiality, or data falsification or alteration.
-Insufficient Cryptography
* Weak Encryption Algorithms
* Insufficient Key Length
* Improper Key Management
* Flawed Encryption Implementation
* Insecure Storage of Data/Encryption Keys
* Lack of Secure Transport Layer
* Insufficient Validation and Authentication
* Lack of Salting
-Proper Measures
* Use Strong Encryption Algorithms: Implement widely accepted and secure encryption algorithms, such as AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adleman), or Elliptic Curve Cryptography (ECC). Stay updated with current cryptographic standards and avoid deprecated or weak algorithms.
* Ensure Sufficient Key Length: Select encryption keys with an appropriate length to ensure strong cryptographic strength. Follow industry recommendations for key lengths, considering the specific encryption algorithm being used.
* Follow Secure Key Management Practices: Employ secure key management techniques, such as using key vaults or hardware security modules (HSMs) to securely store encryption keys. Protect keys from unauthorized access, including restricting access to authorized personnel, encrypting keys at rest, and using secure key distribution mechanisms.
* Implement Encryption Correctly: Carefully implement encryption and decryption processes in the mobile application, adhering to established cryptographic libraries and frameworks. Avoid custom encryption implementations, as they are more prone to errors and vulnerabilities.
* Secure Storage of Encryption Keys: Ensure encryption keys are securely stored on the mobile device. Avoid storing keys in plain text or easily accessible locations. Consider using secure storage mechanisms provided by the operating system or utilizing hardware-based secure storage options.
* Employ Secure Transport Layer: Use secure transport layer protocols, such as HTTPS (HTTP Secure), for transmitting encrypted data over networks. Implement proper certificate validation and ensure secure communication channels between the mobile app and backend systems.
* Validate and Authenticate: Implement strong validation and authentication mechanisms to verify the integrity and authenticity of parties involved in the encryption process. Perform proper validation of certificates, digital signatures, or other mechanisms used for authentication.
* Regularly Update Security Measures: Stay informed about security updates, patches, and recommendations from cryptographic libraries, frameworks, and platform providers. Keep the mobile application and underlying cryptographic components up to date to address any identified vulnerabilities or weaknesses.
* Conduct Security Testing: Perform thorough security testing, including cryptographic vulnerability assessments, penetration testing, and code reviews. Identify and remediate any weaknesses or vulnerabilities discovered during the testing process.
* Follow Industry Standards and Best Practices: Stay updated with industry standards and best practices related to cryptography. Organizations like NIST (National Institute of Standards and Technology) and IETF (Internet Engineering Task Force) provide guidelines and recommendations for secure cryptographic practices.
* Use Strong Hash Functions: Choose widely recognized and cryptographically secure hash functions like SHA-256 or bcrypt. These algorithms are designed to resist attacks and provide a high level of security.
* Implement Salting: Always use a strong random salt when hashing passwords. Salting adds an extra layer of security by making it harder for attackers to use precomputed tables or rainbow tables to crack passwords.
- * Use Key Derivation Functions (KDFs): For password hashing, use Key Derivation Functions like PBKDF2, bcrypt, or scrypt. These functions are specifically designed for securely deriving cryptographic keys from passwords and provide additional security features like iteration counts to slow down brute-force attacks.
Mobile applications are vulnerable to abuse because they contain a lot of sensitive data, including personal information. Accordingly, the OWASP Foundation strives to reduce security risks or resolve issues by raising developers' awareness of security vulnerabilities and providing resources to help prevent security incidents.
Lockin Company provides various methods and services for strong app security services. By providing source code obfuscation and encryption functions through the mobile app security service LIAPP, LIAPP strongly protects mobile apps from analysis by encrypting important codes such as binary obfuscation and DEX and SO. Additionally, by providing the SSL Pinning function, it is possible to check the HTTPS certificate used by the app during communication and prevent network packet analysis by bypassing the certificate inspection.
Experience LIKEY, a powerful ONE TIME KEYPAD through the mobile app security keypad service, the user's important data is encrypted using a one-time random key that is newly generated every time, thereby safely protecting the user's input.
Team LIAPP provides expert consulting for companies that want to address security vulnerabilities in the OWASP Mobile Top 10 list.
Reference : https://owasp.org/www-project-mobile-top-10
#OWASP #mobile_app_protector #android_mobile_app_protector #mobile_game_application_protection #Mobile_App_Security #Mobile_App_Security_Solution #Anti_Tampering #Obfuscation#Encryption #Binary Obfuscation #Detecting_Bypassing_Authentication #SecureKeypad #LIKEY #LIAPP #LIAPP
