Traditional security flaws crop up in mobile app software so often that it seems as if we're intentionally trying to live out Albert Einstein's definition of insanity: Do the same thing time and again but expect different results.
New mobile app software: Same old security flaws
In the past few months security expert Kevin Beaver has spotted the following flaws in mobile apps -- using source code analysis software. He wonders why we are still making the same security mistakes.
- Code injection: Code injection is an umbrella term for a broad class of attacks including
- SQL injections, which depend on inserting code, which is executed by the application.
- Session fixation: This vulnerability, which lets an attacker hijack a valid user session, is a variant of session hijacking. The session fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in, according to OWASP.
- Path traversal: Also known as a "directory traversal," this attack aims to access files and directories that are stored outside the Web root folder, according to OWASP.
- Weak passwords: Compared with strong passwords, weak passwords have fewer characters and they often lack numbers and special characters. That makes them relatively easy for a password cracker to break.
- Hard-coded cryptographic keys: Hard-coded cryptographic keys may provide a false sense of security. Some people believe that hashing a hard-coded password before storage protects the information from malicious users. But many hashes are reversible.
In the past few months, using a source code analysis tool, I've uncovered, in both iOS and Android mobile app software, the following, seemingly decades-old security weaknesses:
- Code injection
- Session fixation
- Path traversal
- Weak passwords
- Hard-coded cryptographic keys
Any of these sound familiar? These software security problems could literally be taken from textbooks that originated in the 1990s. In fact, some of these concepts go as far back as James Martin's 1973 book titled Security, Accuracy, and Privacy in Computer Systems. Over the past several decades we've evolved from standalone programs to client-server applications to Web applications and now mobile app software. And yet we're still seeing the same old security problems.
So, how can you avoid falling into this perpetual cycle of software insecurities? Here are three actions you can take to strengthen your mobile apps:
- Use good source analysis tools to find flaws at the source-code level and improve the overall quality of your mobile application life cycle. With all the demands on your time, it's practically impossible to find everything that matters via old-fashioned manual source code analysis.
- Stop relying on tools alone. When you put aside all the technical stuff and simply look at your mobile apps from a malicious user's perspective, you'll likely uncover flaws that are often glaringly obvious and so simple to exploit. The last thing you need is some low-hanging fruit to lead to information exposure or unauthorized system access.
- Study the well-established software security flaws documented by OWASP and books such as 24 Deadly Sins of Software Security and ensure everyone on your team is aware of what can go wrong when they don't take their coding seriously enough. Also, keep an eye out for upcoming publications under the OWASP Mobile Security Project and related content such as Security Innovation's Mobile Security Academy that can help you with mobile app-specific issues.
We keep saying the same old things when it comes to mobile app security. I suspect that DevOps nor any other tweak in your mobile ALM process is going to fix these basic coding problems. In fact, today's business demands and information systems complexities will likely make matters worse if you don't somehow focus on software security fundamentals. Left unchecked, these programming flaws will continue in whatever's beyond mobile apps in the years ahead. Resolve to get to the root of the problems in your development and QA processes and be done with this burden once and for all.
Are you doing security testing on mobile apps? Let us know.
This was first published in February 2013