Authentication and authorization are a double threat for mobile developers. Implementing effective mobile authentication methods and authorization processes is a challenge similar in nature to its counterpart in Web-based client/server applications. At its most base level, the question is how application developers verify, when a client attempts to access the server, that the client is actually who it identifies itself as and that the identified individual has authority to access the server resources it has requested.
In mobile applications, the challenges around authentication and authorization are made more complicated by the different identifiers in use on mobile devices, according to Jack Mannino. He says that many mobile application developers are simplifying by only relying on a single mobile identifier. Once the device has been registered with the back end, the application assumes it does not have to reauthenticate, because it's already a trusted device.
However, malicious hackers can learn to spoof that mobile identifier. "The moral of the story," says Mannino, "is that you have to treat the mobile device ID as a totally compromised value, because, as a mobile developer, you don't know what other apps the user has, and you can't control who else has access to that value." He explained that a user might register with an enterprise application and then use a third-party app with hidden malware that could collect those values.
Mannino says that using a second form of backup authentication, such as location, will help. Although those values can also be spoofed, it does add an extra layer of protection. Because there are real transport layer security and insecure data storage concerns with mobile devices, Mannino says mobile applications should neither be designed to send username and password information too frequently nor to store such information on the device.
Therefore, once a user is logged in, it's important to use a mobile authentication method, such as an OAuth implementation or a session token. The important thing is for mobile developers to use "an identifier that can be persistent, but that can also be revoked if need be."
DeLaGrange explains that testers working to improve mobile authentication methods in their mobile apps should not lose focus on authorization. "Mobile app testers should test authentication and authorization mobile service controls by manipulating input and submitting requests for which the user account is not authorized, and by manipulating any identifiers used for authentication." These techniques will allow testers to determine if attackers could forge an identifier for authentication, or if, by attaining authentication for low-level access, attackers could authorize themselves higher levels of access.