Mobile application security: Part 2
1 min readOct 19, 2021
1) Cryptography :
- Use of encoding instead cryptography
- Weak cipher suits
- Weak encryption keys
- Insecure storage of encryption keys
- Improper usage of cyptographic algorithm
2) Network :
- Client server communcation with plain text
- Self-signed or untrusted certificates
- Weak certificate validation
- SSL Pinning or Public key pinning
- E2E encryption
- Push notifications
3) Authentication and Authorization:
A. Improper session handling
- Improper timeout handling for sessions
- Token generation at client side
- Weak token generation algorithm
- Same session id but change in privilage
B. Insecure Authentication
- Storing credentials for “Remember me functionality”
- Weak passwords
- Spoof-able parameters
- Hard-Coded keys
- Client side authentication for server authentication
- Improper usage of faceid or biometric security
C. Insecure Authorisation
- Broken access control
- Inputs from untrusted sources
4) Data :
A. Unintended data leakage
- Response caching
- Keyboard caching
- Pastboard caching
- Background snapshot caching
- Logging sensitive information
- Logging sensitive information to third party analytics
- Usage of cookies
B. Insecure data storage:
- Plain storage of credentials or sensitive information
- Storage in files
- Storage in database
- Keychain
- File/Data protection mechanism
5) Other development practices :
A. Lack of binary protection
- Code obfuscation
- Protection from debuggers
- Jailbroken handling
- Runtime injections
B. Reverse engineering
- Proguard or Dexguard
- Code information leakage
- Emulation detection
C. Code tampering
- Data backup
- Tampering detection : Checksums or digital signatures
D. Extraneous functionality
- Autofill passwords
- Debugging feature should be disabled