Insecure authorization was listed as the 6th leading cause of vulnerabilities in application security by the Open Web Application Security Project (OWASP) in 2016.
In 2021, Authorization vulnerabilities had risen to the top of the list as the leading cause of vulnerabilities in application security. This indicates that understanding authorization vulnerabilities is an issue mobile application developers must take seriously.
What Is Insecure Authorization
Insecure authorization arises as a result of poor privilege management within an application that allows users to perform actions that they ideally should not be allowed to do. This should be distinct from insecure authentication. Insecure authentication enables users to get into systems they should not be able to. In contrast, insecure authorization gives privileges to verified users who should otherwise not have them.
How Insecure Authorization Works
To understand mobile app Authorization vulnerabilities, knowing how privileges work in a mobile application is essential. Simply put, privileges are a set of permissions that allows a user to perform specific tasks within the mobile application.
The reason why insecure authorization leads to the most vulnerabilities in mobile applications is that as the application gets complex, it becomes harder to implement due to an increase in the complexity of roles and privileges.
Authorization vulnerabilities are often described as a form of privilege escalation. They are broadly classified into two types:
- Horizontal Privilege Escalation: This occurs when one user can access another user’s resources with similar privileges.
- Vertical Privilege Escalation: This occurs when an average user gains the privileges of another user at a higher level in the security hierarchy. This would include system administrators.
It is important to remember that authentication and authorization, while different, go hand in hand. If an application cannot authenticate a user correctly, then the application automatically suffers from insecure authorization.
Here are a few aspects which can assist in determining if a mobile application suffers from insecure authorization:
- If a mobile application allows a user to perform actions without verifying the resource owner, the application might suffer from Insecure Direct Object Reference(IDOR) vulnerabilities.
- If specific critical resources are left unprotected due to the lack of proper access control Authentication or if it is assumed that unauthorized users will not be able to access certain hidden functionalities, it might lead to insecure authorization.
- It might lead to vulnerabilities if the application enforces authorization and authentication on the client’s rather than on the server’s end.
- If, by design, a mobile application transmits user roles backend as part of a system request.
Examples of Insecure Authorization
Here are a few scenarios to help you understand how Insecure authorization can be exploited in mobile applications:
Vulnerability Due to Insecure Direct Object Reference:
Let us begin with what an endpoint is: An endpoint is typically a Uniform Resource Locator (URL) that provides the location of a resource on the server.
When a user makes an endpoint API request to the backend REST API, it contains the Actor ID and the OAuth bearer token.
Suppose the application is designed, so the backend verifies only the bearer token and not the associated Actor ID. In that case, a threat agent can then tweak the user id to gain access to other users’ information using multiple backend REST API requests.
For example, an IDOR vulnerability was found in the Facebook Business Manager endpoint that allowed threat agents to modify limited permissions to the Facebook pages, causing page owners to lose admin access to their business pages.
Vulnerability Due to the Ability to Bypass Privileges:
Certain privileges that are location-based can easily be bypassed. Take OTT platforms, for example, wherein certain content is only available to users of a specific location.
Using a proxy or a VPN, users from around the globe can set their location to a particular region and view location-specific content.
The Risks and Impact of Insecure Authorization
Insecure authorization can leave an organisation vulnerable on multiple fronts.
- From a security standpoint, Insider threats can significantly benefit from authorization vulnerabilities. It can also lead to scenarios where an over-privileged user unintentionally executes actions that can lead to a catastrophic leak or loss of sensitive data.
- From a business standpoint, they could be looking at irreversible reputational damage. Unauthorized access to sensitive user data can also give way to Identity Theft and fraud and leave you open to potentially expensive lawsuits.
How to Prevent Insecure Authorization?
Insecure authorization can be prevented by implementing basic checks into the application workflow.
- Avoid designing the mobile application in a manner where information about an authenticated user’s roles and permissions comes from the mobile application itself.
- The application should be designed to store all user role and permission information in the backend, and an authenticated user’s permissions should be verified with the same.
- All incoming identifiers associated with an operation should be independently verified with the roles and permission identifiers stored in the backend.
Final Thoughts
Insecure authorization demands extra attention from mobile application developers during the development phase of any application. Understandably, the implementation can get complicated in overly complex mobile applications. Still, penetration testing software can detect these authorization vulnerabilities and should be addressed to secure your mobile applications.