At the recent Viet Nam Mobile Day 2019, CyRadar’s representative, Mr. Ha Trung Hieu – Security Service Director, had shared about common security holes in developing mobile apps.

Sensitive user data leaks have been all over the media in these recent years, due to hackers’ activities over security holes. A quick survey in 2018 from NowSecure had pointed out that, 85% of 45,000 apps on Android and iOS (out of over 5 million ones in total) include security holes, especially those that are in TOP 10 OWASP.

With years of experience in app testing, CyRadar specialists had listed out 5 common securities holes that Vietnamese app developers often face:

1. OTP

OTP is an important and common solution throughout various financial apps, with its target being safety ensurance for online transactions. Deployment of this solution, however, often incurs errors during Generating, Storing, Managing and Verification of OTPs.

This is sadly not limited to Viet Nam, as these errors are mutual even among large international organizations. Following are common mistakes that lead to invalid OTPs:

  • OTPs are too simple, the most common being 4 characters (which can be solved within 2 minutes on a common laptop)
  • OTP expiration time is too long (some organizations allow up to 5 minutes)
  • One time use to permanent use
  • No invalid OTPs even after multiple failed attempts

By making use of these mistakes, hackers can easily obtain users’ accounts.

2. Storing too much sensitive data prior to launching

Sensitive data can include (but not limited to) Private Keys, API Keys, test accounts, and default accounts saved in the source codes… Such information can easily lead to utilization by hackers in future attacks.

3. No encryption before launching

The third prevalent risk lies within the lack of encryption for source codes. While all iOS-based apps are protected by Digital Right Management, up to 62% of Android apps hold no protection or are severely lacking, which leads to easy analyzation and copying of these apps. It is important to note that while encryption may not be the best method to prevent attacks, it is quite a deterrent.

4. Mobile apps inflicted by SQL Injection, XSS in Web View activities, or suffer from Remote Code Excution,…

In a similar way to web applications, CyRadar specialists detected SQL Injection, XSS in Web View activities, Remote Code Excution,… in mobile apps. In some cases, coders even forget to delete hidden activities meant for debugging and easy management. All these may lead to data altering and verification surpassing from hackers.

5. Bad points in API servers

API Server and Backend are the backbones of current mobile apps, and bad points are common in these. At this, hackers’ jobs are to detect these bad points, and from that harm your app or even the entire system. One bad point is the lack of SSL/TLS, leading to potential eavesdropping and data stealing (Man in the Middle) via the connection between API and the app. Another is Google or Amazon-based storages for storing of Logs and static data, which leads to weak security terms that hackers can use to access stored information. Usually, APIs have to face SQL Injection and XML Injection risks as they often lack data testing. We also have possible holes that arise from API processing Web Servers, which may store folder [.git] while changing from develop to production. From this, hackers can easily pull the source code, detect holes, and rip off sensitive data stored in this folder.

Furthermore, API serves often have unlimited access to other service portals. The Allow ALL mindset is often applied for easy user management, however, unpredictable risks may arise out of it. Examples include service portals SSH, RDP, MySQL, MongoDB, Solr, Elastic Search, and so on.

Mr. Ha Trung Hieu also introduced a manual method, as well as an automatic method model for app testing utilized by CyRadar. The models are acclaimed by multiple experienced and qualified specialists.

As cybercrimes grow more sophisticated, developers and testers must detect and rectify all security holes before hackers catch wind of them.

Source: CyRadar

Related posts: