Improper session handling - Top ten threats to mobile enterprise security

Top ten threats to mobile enterprise security

Improper session handling

7 of 11
Proper session handling puts lock on mobile security Source: fotolia

While session handling is a known security concern for Web applications, it can be an even bigger problem in the world of enterprise mobile applications. Improper session handling leads to vulnerabilities that are quite common, despite the potential that a lost or stolen device could have severe consequences.

"Because of the way mobile applications are used, many developers allow long or nonexpiring user sessions, or use session tokens that are too predictable," said DeLaGrange. Mannino explained further that consumer applications often want users to have fast access to purchasing and checkout so that sales can be made before the user can have second thoughts. On the enterprise side, mobile application developers are frequently looking to please users by speeding up the app and making it simpler. Reducing the need for constantly logging into the application reduces friction for the users.

DeLaGrange points out that "poor session management can lead to unauthorized access through session hijacking." If a mobile device is lost or stolen while the user is logged into a mobile application, anyone who takes possession of the device can potentially access anything that user was working on. Improper session handling can also increase the severity of any brute force attacks that succeed against it by broadening the window attackers have to work in the system considerably, says Mannino.

Mannino also has tips for reaching a happy medium between providing a streamlined user experience and reducing the window for attacks that manage to hijack or fixate a session. He suggests using reauthentication for privileged functions, such as purchasing in commercial apps. He suggests thinking about the way Amazon secures their mobile services. Users can browse through the available products, but when they go to make purchases, the system will check for recent authentication and probably ask the user to sign in again at that point.

When it comes to testing mobile application session handling, the process is fairly similar to testing Web applications for improper session handling. "Mobile app testers should assess session expiration, session token entropy and that a logout function actually sends a request to the mobile service to immediately expire the session," according to DeLaGrange. He explains that traditional Web application testing tools, such as Portswigger's Burp Suite, can be extended to help mobile application testers inspect session tokens, test for token entropy and check that sessions are terminated when the user logs out.

7 of 11

More from this story

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: