Transaction apps,

Enterprise apps, Wallet and for all start up’s & enterprise firms expect one common thing from their mobile apps is Security. they want their app should be able to fight against all the security flaws which can cause them any financial or fraud loses. Android the flaws may be more than iOS but yes iOS is more secure for such apps in comparison of Android apps. In this post i am going to introduce you 10 security flaws that can harm your apps.

1. IDS (Insecure Data Storage) : Although Apple is convenient to protect iOS Device data by many ways. But still persisting data in the local storage is the biggest security flaw in case your phone is lost or stolen as it can be exposed by the person who find or stole your device. In this case you should avoid storing any financial data in your iOS Device except system files data which requires for functional task.

2. Weak Server Side Control : Most of the times sharing confidential data from app to server or vice versa is secure. but before doing this you should be aware of some important steps like Positive Input validation, Normalization on all client data, Using Regular Expressions etc. encoding on untrusted data is also a feasible solution for this flaw.

3. Poor Transport Layer Protection : Eavesdropping is the most common attack on all networking application. This security flaw allows attacker to exploit personal data of an user. reducing this attack you should use SSL/TLS encryption in your application (Keep in mind that anyway your app gonna use WIFI network which is most common way uses in Eavesdropping). Try to use session token, authentication tokens while communicating.

4. Client Side Injection : Exploiting URL schemes to send premium text messages or toll phone calls are the common example of this security flaw where data injection attacks happens. this security flaw is as real in mobile apps as they are in web application too. to stop this flaw use more validation on url which you gonna use in your app. Keep eye on your UIWebView in case you are using it in your app.

5. Poor Authentication : Some server are not high ended version as security point of view. In some cases they make worse the problem regarding authentication and authorization. as a solution part avoid using UDID, IP Number, MAC address and IMEI number in your coding to identify a user or session.Implement strong server side authentication, authorization, and session management.

6. Unwarranted Session Handling : Session handling which is obvious a server task, but iOS devices faces problems in many ways. for example session token expiration time is more in mobile app in comparison of web apps. Developer should take care of this. for this always use a trustworthy source for generating session tokens.

7. Security Choice by Untrusted Aid : iOS doesn’t allow apps to communicate each other although some exist which can be accessed by attacker using data injection attack or malicious apps. to secure your app combination of input validation, output escaping, and authorization controls can be used against these weaknesses.

8. Side Channel Data Leakage : These flaw refers to data I/O generally used for administrative or non-functional (directly) purposes, such as web caches (used to optimize browser speed), keystroke logs (used for spell checking), and similar. Apple’s iOS presents several opportunities for side channel data to inadvertently leak from an app, and that data is often available to anyone who has found or stolen a victim’s device. Most of these can be controlled programmatically in an app.

9. Broken Cryptography : Never “hard code” or store cryptographic keys where an attacker can trivially recover them. This includes plaintext data files, properties files, and compiled binaries. Use secure containers for storing crypto keys; alternately, build a secure key exchange system where the key is controlled by a secure server, and never stored locally on the mobile device.

10. Sensitive Information Disclosure : sensitive data can leak out of iOS apps. Among other things to remember at all times, each app’s compiled binary code is available on the device, and can be reverse engineered by a determined adversary. Anything that must truly remain private should not reside on the mobile device; keep private information (e.g., algorithms, proprietary information) on the server. If private information must be present on a mobile device, ensure it remains in process memory and is never unprotected if it is stored on the device.

Source : Owasp


Image Credit – (Visited 33 times, 1 visits today)