While session handling is a known security concern for Web applications, it can be an even bigger problem in the world of enterprise mobile applications. Improper session handling leads to vulnerabilities that are quite common, despite the potential that a lost or stolen device could have severe consequences.
"Because of the way mobile applications are used, many developers allow long or nonexpiring user sessions, or use session tokens that are too predictable," said DeLaGrange. Mannino explained further that consumer applications often want users to have fast access to purchasing and checkout so that sales can be made before the user can have second thoughts. On the enterprise side, mobile application developers are frequently looking to please users by speeding up the app and making it simpler. Reducing the need for constantly logging into the application reduces friction for the users.
DeLaGrange points out that "poor session management can lead to unauthorized access through session hijacking." If a mobile device is lost or stolen while the user is logged into a mobile application, anyone who takes possession of the device can potentially access anything that user was working on. Improper session handling can also increase the severity of any brute force attacks that succeed against it by broadening the window attackers have to work in the system considerably, says Mannino.
Mannino also has tips for reaching a happy medium between providing a streamlined user experience and reducing the window for attacks that manage to hijack or fixate a session. He suggests using reauthentication for privileged functions, such as purchasing in commercial apps. He suggests thinking about the way Amazon secures their mobile services. Users can browse through the available products, but when they go to make purchases, the system will check for recent authentication and probably ask the user to sign in again at that point.
When it comes to testing mobile application session handling, the process is fairly similar to testing Web applications for improper session handling. "Mobile app testers should assess session expiration, session token entropy and that a logout function actually sends a request to the mobile service to immediately expire the session," according to DeLaGrange. He explains that traditional Web application testing tools, such as Portswigger's Burp Suite, can be extended to help mobile application testers inspect session tokens, test for token entropy and check that sessions are terminated when the user logs out.