Client-side attacks, and particularly code injection at the client, might be the first thing a layperson thinks of when they hear about mobile security threats. Client-side injection in mobile applications works in a way similar to certain server-side security risks. According to Jack Mannino, client-side injection has its roots in software that inappropriately treats data inputted by the user as code. This is essentially the same thing as SQL injection or cross-site scripting, with the important difference that the code is being submitted as data to the client instead of the server.
While tried-and-true techniques for securing the server against SQL injection can also protect against client-side attacks, there are nuances to mobile application security. "Developers are getting better at including client-side code that restricts what input is permitted on the device, but are forgetting that we can't trust the client," DeLaGrange said. He suggested implementing controls to prevent code injection in the mobile application and in mobile services. "Mobile app testers need to test that all input is properly validated and that output is properly encoded or formatted, especially with applications using browser libraries."
Mannino stressed that -- to an inventive hacker -- client-side injection attacks may create holes through which various functions on the phone might be accessed. An injection vulnerability might even allow malicious hackers to adjust trust settings on the device for other applications. If they can inject code, it's actually possible for hacklers to find ways to break out of sandboxes and wreak havoc.