In AppSealing Blog, AppSealing News

OWASP Top 10 Mobile Application Risks

Every now and then, the Open Web Application Security Project (OWASP) releases a list of Top 10 security threats in the mobile and web application space. OWASP started as an online community in 2001 to make developers aware of malicious security threats to web applications. Soon it became popular and its resource material and threat lists became industry standards for developers to refer to. Since it is a community-driven initiative and not governed by commercial interests, the list of security threats tends to be comprehensive, reliable and endorsed by domain experts.

The latest OWASP Mobile Top 10 list was released in 2016. (However, a 2017 release candidate version is available for web apps, many of whose recommendations are applicable for mobile apps due to increased convergence between the two.) This list outlines major risk and critical areas that need to be attended to on priority to protect applications in a highly insecure environment. Mobile developers around the world vouch for the OWASP Top 10 list for protecting their mobile apps against the listed risks as the first line of defense.

According to a report by BetaNews, a security vulnerability is so common even in most trusted mobile apps that among the top 30 most downloaded apps, a whopping 94% contain three or more high-risk security holes. The situation is so alarming that even popular Android antivirus software fails to protect mobile apps. A recent test by the independent testing organization AV-Comparatives found that two-thirds of Android antivirus apps block less than 30 percent of threats.

It is important to note that mobile threat perception is changing rapidly just as the architecture of mobile and apps is changing. The 2017 RC list of OWASP notes that the developer’s propensity to give the user a great experience means that app source is no longer located in secure servers but have moved to untrusted browsers due to popularity of modern web frameworks, such as Bootstrap, Electron, Angular, React, etc. OWASP has developed a community-driven risk-rating methodology for organizations so that apps can be protected against threats well before they enter the production cycle. A security risk is generally identified as the likelihood of it happening multiplied by the impact it can have on the organization. The impact is further measured in technical terms and business terms.

The Top 10 Risks

Let us have a detailed look at how OWASP defines threats to mobile apps and how to counter them.

M1: Improper Platform Usage

AppSealing prevents app launch and protects the app in a rooted device. Android emulator detection also prevents app launch in an insecure app environment. All app components are hash validated with the highest cryptographic standards.

Read our Blog on how to protect your Applications in Rooted Devices.

M2: Insecure Data Storage

OWASP suggests that data stored in the app is encrypted with AES-256 and SHA-256 algorithm, rendering all data (data in-app as well as that stored by the app on the device) safe and eliminating any chance of misuse in the event of a compromise.

M3: Insecure Communication

Hackers often exploit the communication done through APIs by snooping on the network and capturing the data communicated between the device and the server. Developers should adopt best practices in masking the data to prevent Man in the Middle (MITM) attacks and adopting SSL certification. A good security service should add a security layer that ensures proper session handling and scans the network for any “packet sniffers” to block app launch.

M4: Insecure Authentication and M5: Insecure Authorization

These categories involve weaknesses in both the authentication process and session handling. If not properly handled, hackers can directly connect to servers and deploy malware to “infect” data. Some mobile apps use offline authentication, which can be further exploited by hackers. Proper user profiling and management, user access restrictions, and server-side authentication help deal with these threats.

M6: Insufficient Cryptography

Mobile assets should be encrypted end-to-end to protect them in the event of an attack and stop hackers from stealing sensitive data and revenue-sensitive intellectual property. Anti-debugging and anti-decompile enable full source code encryption and binary protection. The keys are managed in a secure manner. This makes data decryption and misuses highly impossible, even if stolen. Code obfuscation technique jumbles the entire app codebase and library.

M7: Integrity Protection, Code Encryption & M8: Code Tampering

App’s integrity should be ensured end to end through integrity scans to be performed at regular intervals, which should ensure protection against extraneous functionality. Compatibility with third-party libraries ensures all-round protection of code against possible exploitation. Anti-memory dump and memory resource leaks should be handled properly by a security service like AppSealing. The developer must ensure that the app is safe even if it is in the offline mode. There should be an ever-listening security shield to disable any attempts to tamper the code. Inadvertent access to any authorized section can be checked and properly handled in this way.

M9: Reverse Engineering

Anti-debugging and anti-decompiling from AppSealing ensure that the app is safe from getting reverse engineered. AppSealing prevents intruders from laying hands over the final app binary through code obfuscation.

Read our Blog on how to stop apps from being Reverse Engineered.

M10: Extraneous Functionality

Developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes the disabling of 2-factor authentication during testing.

The AppSealing Security Layer

AppSealing’s security service provides a comprehensive, effective, and hassle-free no-code approach to protect both Android and iOS mobile apps against many common risks listed in the OWASP Top 10 list. AppSealing applies the security layer directly to the app binary and protects it without impacting its performance or battery usage.

Through smart reporting and intelligent dashboards, AppSealing provides insightful reports to businesses in real-time. It protects your mobile app against many vulnerabilities mentioned in the OWASP Top 10 list of mobile risks.

For more information, start your free trial and experience the power of AppSealing first hand in protecting your mobile apps.

Govindraj Basatwar
Govindraj Basatwar
Govindraj is a Global Sales Head for AppSealing at INKA Entworks. He keenly follows the innovation and development in cybersecurity, IT, content and application security, and software development, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world. His views on industry trends and best practices have been featured in articles, white papers, and had been a keynote guest at multiple security events.

Leave a Comment

Stop Mobile App HackingPentesting vs Vulnerability