An increasing number of people use mobile apps and tablets to manage personal and sensitive information, so it is particularly important to secure them against vulnerabilities and cyber threats. When it comes to approaching mobile apps in particular, rather than PCs or laptops, the risks software developers face are very different. In fact, securing data and applications on smartphones and tablets is done at the level of hardware, operating system (OS), APIs and applications. The OWASP (Open Web Application Security Project) annually identifies the top 10 mobile app vulnerabilities, which we discuss in more detail in this article.
What is OWASP
OWASP (Open Web Application Security Project) is a non-profit foundation committed to improving application security. Founded in 2001, its focus lies on raising awareness, training and developing tools and resources to help software developers, security testers and security professionals improve application security.
OWASP is known for its annual Top10 list, which features the most common vulnerabilities in mobile applications. This list is widely used in the IT security industry as a guide to identify and mitigate security risks in mobile applications. In addition, the OWASP provides open source mobile security tools, resources and guides, including the popular OWASP ZAP (Zed Attack Proxy) web security tool suite, which helps developers and security testers identify and fix security vulnerabilities in applications.
OWASP is therefore an important and well-respected organisation in the security community of applications, providing useful resources and tools to improve the security of mobile applications worldwide. So let's see what are the top 10 vulnerabilities to watch out for in 2023.
Secure apps: 10 vulnerabilities to consider during the development phase
1 Improper platform usage
This vulnerability refers to the misuse of a platform and describes a number of possible security problems.
For example, a mobile application could use an operating system feature that is not designed to be used securely, such as the execution of system commands by an unauthorised user. This could allow an attacker to execute malicious code on the system and compromise the security of the user's data. Another typical example is the allocation of too many permissions to an app. If a torch app requests access to a user's address book, photos or location, this can already be understood as an attack on personal data.
2 Insecure data storage
This concerns access to the file system of mobile devices by third parties, for instance after a theft or if one is distracted during a security check at an airport or border control. Attackers can then exploit vulnerabilities in the operating system and install malware to be able to read the data in the future. Full device encryption only protects when the device is switched off; flight mode is not sufficient.
For instance, a mobile application could store users' passwords in plain text, making them accessible to attackers in case of unauthorised access. In addition, sensitive data could be stored in a weak or vulnerable format, making it easily accessible to attackers.
3 Insecure communication
Insecure communication describes the risk that developers do not protect network data traffic or do not protect it properly via TLS (Transport Layer Security) or HTTPS. Developers must be aware that mobile devices exchange data via many other interfaces besides network data traffic via WLAN or mobile radio, such as Bluetooth, SMS, e-mail, USB, NFC, camera or voice input.
4 Insecure authentication
This vulnerability occurs when possible attackers manage to impersonate an app or the backend servers, for instance by tricking a logic for verifying identity information. For developers, it is important to know that the use of TLS should not be dispensed with, even if it is not a panacea on its own.
5 Poor cryptography
This area includes security gaps that occur due to insecure cryptographic procedures used by developers. The cause is often weak or outdated and therefore potentially insecure algorithms, or the app uses cryptography improperly, such as storing encryption keys in an insecure manner. Developers should therefore use tested and existing cryptographic procedures.
6 Insecure authorisation
Non-secure authorisation allows, for instance, an unauthorised user to access restricted functionalities or to view sensitive data, or it could allow a user to perform operations for which he or she does not have the necessary authorisations.
7 Poor client code quality
Flawed or poor quality programming makes apps vulnerable to data theft. The installation of a spyware and a single call, which simultaneously reloads a spyware in the background, can allow full control of the end device. Poor third-party software or vulnerable programming languages can adversely affect the quality of the code and should be avoided.
8 Code manipulation
If the functionality of an application can be reconstructed, it can also be manipulated. Attackers can steal intellectual property, circumvent licence controls or distribute app clones enriched with malicious code. Root or jailbreak detection, as is often the case for banking apps, or the SafetyNet API for Android devices, for instance, make attacks more difficult and reduce the risk.
9 Reverse Engineering
Reverse Engineering occurs when an attacker attempts to decompile the application to analyse the source code, identify vulnerabilities and develop targeted attacks. This may allow the attacker to access the application's confidential functionality, manipulate the flow of data or compromise the user's security.
10: Extraneous funcionality
Extraneous functionality occur when a mobile application contains unnecessary or unused functionality that may pose a security risk to the application. For example, a debugging functionality that has not been disabled or an undocumented backdoor function can be exploited by an attacker to access confidential data or compromise the security of the application.
Mobile app development requires the adoption of a whole series of good practices, as well as awareness of the existence of important vulnerabilities identified by organisations such as OWASP. Since each of the identified vulnerabilities can pose a real risk to the security of the app itself and to the sensitive data of users, it is therefore important that developers take the necessary measures to prevent security attacks. Developing secure mobile apps is certainly not child's play; it requires time, attention and appropriate skills, but it is certainly not impossible. By implementing best practices and keeping in mind the highlighted vulnerabilities of OWASP, developers can create secure mobile apps that offer a great user experience while protecting user data.
Se hai bisogno di supporto per lo sviluppo di app mobile sicure e di alta qualità, non esitare a contattarci. Il nostro team di sviluppatori può offrirti soluzioni personalizzate per creare app mobile sicure e funzionali, garantendo la massima attenzione alla sicurezza dei dati dell'utente.
If you need support in the development of secure and high-quality mobile apps, please do not hesitate to contact us. Our team of developers can provide you with customised solutions for creating secure and functional mobile apps, with the utmost attention to user data security.