Mobile Device Attack Vectors
Mobile apps usually involves a three tier architecture. The mobile app, the API backend, and its associated database. We will be mainly concerned with attacks on the client side.
Mobile device threats
- Application data at rest
- Application data in transit
- Vulnerabilities in code
- Data leaks in the app
- Platform specific issues
Threats at the backend
- Authentication/Authorization
- Session management
- Input validation
- Improper error handling
- Weak cryptography
- Attacks on the database
OWASP provides guidelines for testing and securing mobile apps. They have come up with the OWASP Mobile Top 10 guidelines.
Another organisation, Veracode
also offers mobile security and testing guidelines.
OWASP Mobile Top 10 Risks
OWASP have come up with the following guidelines, we will cover them in depth in OWASP Mobile Top 10 Risks
- M1: Weak Server-Side Controls
- M2: Insecure Data Storage
- M3: Insufficient Transport Layer Protection
- M4: Unintended Data Leakage
- M5: Poor Authorization and Authentication
- M6: Broken Cryptography
- M7: Client-Side Injection
- M8: Security Decisions via Untrusted Inputs
- M9: Improper Session Handling
- M10: Lack of Binary Protections