Mobile application security: Part 2

1) Cryptography :

1. Use of encoding instead cryptography
2. Weak cipher suits
3. Weak encryption keys
4. Insecure storage of encryption keys
5. Improper usage of cyptographic algorithm

2) Network :

1. Client server communcation with plain text
2. Self-signed or untrusted certificates
3. Weak certificate validation
4. SSL Pinning or Public key pinning
5. E2E encryption
6. Push notifications

3) Authentication and Authorization:

A. Improper session handling

1. Improper timeout handling for sessions
2. Token generation at client side
3. Weak token generation algorithm
4. Same session id but change in privilage

B. Insecure Authentication

1. Storing credentials for “Remember me functionality”
2. Weak passwords
3. Spoof-able parameters
4. Hard-Coded keys
5. Client side authentication for server authentication
6. Improper usage of faceid or biometric security

C. Insecure Authorisation

1. Broken access control
2. Inputs from untrusted sources

4) Data :

A. Unintended data leakage

1. Response caching
2. Keyboard caching
3. Pastboard caching
4. Background snapshot caching
5. Logging sensitive information
6. Logging sensitive information to third party analytics
7. Usage of cookies

B. Insecure data storage:

1. Plain storage of credentials or sensitive information
2. Storage in files
3. Storage in database
4. Keychain
5. File/Data protection mechanism

5) Other development practices :

A. Lack of binary protection

1. Code obfuscation
2. Protection from debuggers
3. Jailbroken handling
4. Runtime injections

B. Reverse engineering

1. Proguard or Dexguard
2. Code information leakage
3. Emulation detection

C. Code tampering

1. Data backup
2. Tampering detection : Checksums or digital signatures

D. Extraneous functionality

1. Autofill passwords
2. Debugging feature should be disabled