The Open Web Application Security Project (OWASP) has listed Improper Platform Usage as the leading cause of vulnerability in Mobile Applications. As smartphones get more sophisticated, so does the demand for rich and integrated user experiences.
Even though Android and iOS have well-documented Software Development Kits, you should be aware of the security trade-offs that come with them as a developer.
Let us now explore various aspects of improperly utilising a platform:
Improper Platform Usage
Improper platform usage is the practice of not using well-documented platform-specific features as intended, coupled with the failure of platform-specific security controls. For the sake of simplicity, this can be broken down into three broad categories:
- Violation of Published Guidelines
- Violation of Convention or common best practices
- Unintentional Misuse of specific features
While some mobile applications have the best of intentions, their implementation falls short. For instance, setting the incorrect flag during an API request or misinterpreting how protections work etc., can be prime examples of lapses in security due to improper platform usage.
What Are the Risks of Improper Platform Usage?
Mobile applications are complex as they interact with system services to function properly and also need access to the hardware on a device. They may also interact with other applications based on their features and unintended usage.
Improper Platform Usage can create security weaknesses in your mobile applications. As a developer, you must realise that mobile applications usually have complete access to operating and file systems.
This is why any security vulnerability can give threat agents complete access to a mobile device. Furthermore, if there is an unsecured API call, you can also give threat agents easy access to your servers.
The Threats and Impacts
The impact of a security lapse in a mobile application can have severe consequences, such as identity theft and fraud etc.
Here is a real-world example of how improper platform usage can leave certain platform-specific features open for misuse:
Apple’s Touch Id is considered state-of-the-art by most. There were three apps found on the Apple Store that managed to exploit this very security feature and steal money right from under their users’ noses.
The apps in question were posed as health assistants that used in-app pop ups to charge money from customers. The customers themselves provided the necessary authorization when they scanned their fingerprints in the area indicated by those apps.
How To Prevent Improper Platform Usage?
You can prevent security lapses due to Improper Platform usage by adhering to platform-specific development guidelines. As developers, familiarising yourself with SDKs, APIs and built-in libraries will eliminate reliance on third-party libraries or building a custom code from scratch.
Android, IOS and Windows have very specific security guidelines recommended by the manufacturer. Not complying with them will expose your mobile application to unnecessary security risks.
Take this, for example, in IOS, the Keychain is the best practice for secure storage for both app and system data. It has specific functions of the keychain services API that allow you to work with keychain items securely.
The keychain item can be session keys, passwords or any other information that should be stored securely. Now here is a well-defined guideline prescribed by the manufacturer.
If you deviate from this and happen to store all of the above sensitive information unencrypted in the local app storage, then you have just misused the platform and left the app open to security breaches.
Here are a few best practices to follow to avoid improper platform usage.
iOS Keychain Best Practices
Allow Keychain encryptions via the server route only, and keep the encrypted keys in a single device so that they cannot be exploited in other devices or the server. Secure the app by storing the app’s secret in the Keychain, which should have its own access control list. The OS can enforce the access control list’s user authentication policy.
iOS Android Intent Best Practices
Take the permissions route to limit which apps can communicate, thereby effectively blocking all non-whitelisted traffic attempts. Another option is to disable the export option for intents with the Android framework for either or all of the activities, services, and broadcast receivers so that Android components that have no reason to communicate with the app are kept from the start.
Android Intent Sniffing Best Practices:
This leakage can be avoided by defining explicit intents in which the intent object is clearly defined, preventing any other component from accessing the information contained in the intent. Also, before making the app public, thoroughly check the file permissions to ensure that all necessary permissions are in place.
So, this was M1: Improper Platform Usage – OWASP Foundation has identified it as the primary risk to the security of mobile applications across all mobile frameworks.
No one is infallible, but as mobile developers, a simple increase in awareness of the readily available best practices that go along with them can help you mitigate security risks in mobile applications.
AppSealing making a difference
AppSealing helps to mitigate the risks associated with misuse of operating system features or improper implementation of mobile app platform security controls. Tackling threats like data leakage, intent sniffing, iOS keychain risk etc, it stops hackers and threat actors from exploiting or manipulating unsecured data or processes in a device.
Moreover, being a leader in robust security choice for in-App Protection for Android and iOS mobile applications, you get a security layer on top of the binary.