Mobile applications security

Grey Wizard
GreyWizard
Published in
3 min readJan 25, 2018

Since mobile devices are more and more popular, there is the increase in the number of applications available for such devices. Apart from popular games, there are also applications which are an interface for services, such as: shops, banks, social portals and messengers. These are mostly simple interfaces which communicate via HTTP/HTTPS with a given service by means of API.

As Grey Wizard, apart from ensuring security against cyberattacks (in particular DDoS), we also analyse current hazards which may be encountered by our users. We repeatedly analysed mobile applications and protected systems supported by such applications against various hazards. For this reason, we decided to present the aspects which should be noted during the creation of an application and its usage.

Data storage

The first fact which should be noted is a manner in which information is stored on a mobile device. In many cases, developers make use of the simplest data storage method in order to create an application as fast as possible — in the form of configurable files or simple relative data bases, such as SQLite.

Their mechanism enables the direct access of an intruder, in particular when they can be transferred to an external memory which is an SD card. Data stored in external memories are not protected and access to them, both reading and saving, may be obtained quickly by transferring them to a different reader. In such a way, crucial data may be read or even modified (e.g. dynamically loaded libraries or activated binary files) what may allow for taking complete control over an application or its more precise analysis.

In such a case, it is worth using only the device internal memory; additionally, data saved in such a memory ought to be coded by means of KeyStore which will ensure the safe method of storing keys and access to data. The prospective assignment of access to data to other applications should be carried out dynamically so that it is assigned only in specific cases and after performing defined actions, and cancelled instantaneously.

Data transmission

Most applications make use of services available in the network as a data source. The users of mobile devices often use generally available HotSpots which, when controlled by untrusted entities, may be used for intercepting transmissions between their unaware user and a data source. For this reason, a transmission should be performed only by means of SSL/TLS.

Tools, such as Burp Suite or OWASP ZAP, are frequently used for analysing an application. They also support HTTPS. In such a case, it is possible to hinder the intruder’s task by implementing more accurate verification of a data source in an application, such as SSL certificate signature which identifies it, and if nonconformity is determined, abandons further communication.

Data source

The most frequently used method of data provision for mobile applications is the activation of a service in the form of API available by means of HTTP.

It is the most critical place which is most frequently attacked by intruders. As part of our services, we detect and block actively subsequent attempted attacks on such a type of services. The most frequent case is the attempted theft of users’ accounts by means of dictionary attacks and brute-force.

For this purpose, cybercriminals try to mask such an attack by performing them from hundreds of IP addresses. It is worth introducing the mechanism of limiting access attempts or dynamically generated tokens assigned to a specific device and with a short expiry period.

Other examples of attacks are attempts to break into a service by means of SQL Injection, attempted data manipulation (in order to influence the results of a game) or attacks on access denials (DDoS) which are to impede or block access to a service by its users.

Originally published at greywizard.com.

--

--