With mobile apps so pervasive in the enterprise, it’s surprising to see the minimal effort put into finding and resolving common mobile app vulnerabilities. It’s yet another cog in the wheel of information systems complexity that so many struggle with, despite the fact that mobile apps used for business can introduce an enormous amount of security risks.

Common Security Flaws

Be it an internally developed corporate app, a third-party app used by your employees for specific business workflows or something in between, it probably has vulnerabilities. The following are common mobile app security flaws I often come across that you need to be on the lookout for:

  • Login-related weaknesses, such as being able to bypass the login prompt to perform functions like interacting with external Web applications and services;
  • Allowing users to create weak passwords — or use no passwords at all — that can subsequently be cracked and used against the system;
  • Mishandling of sensitive information, such as storing it locally and transmitting it over the network unencrypted;
  • Malicious code injection, such as requests or queries that can trip up the app and cause it to divulge otherwise protected information;
  • Cryptographic keys hard-coded into the app that can be accessed using mobile forensics tools.

These are just a few examples, but the possibilities are endless given the growing complexity of mobile computing and mobile security.

Testing for Mobile App Vulnerabilities

Ideally, you’ll want to test for these vulnerabilities as part of your software development life cycle. As for application security testing options, there are mobile app source code analyzers, tools that sandbox the apps to check for flaws and, my favorite, good old-fashioned manual analysis. All three types of tests need to be performed if you wish to uncover everything that matters.

If such testing is not an option (i.e., the source code is controlled by a third-party developer or vendor), then ask the outside party for a copy of its latest app security vulnerability assessment and penetration test report. Another consideration to help protect you is to write security requirements — or at least security testing — into your RFPs and contracts related to mobile app development.

Even with such potential business risks, I see many organizations that don’t include mobile apps in their information security program. Are they seemingly too simple to cause harm? Perhaps it’s because they’re often out of sight, out of mind?

Whatever the reason, you have to test the security of your mobile apps before a vulnerability is exploited. Someone, somewhere along the supply chain, needs to be responsible. However, it’s ultimately up to you to ensure the testing happens and your mobile app security stays in check. Get started on it now of your own volition before someone else forces you to.

Watch the on-demand webinar: Shielding Mobile Apps From Fraud and Malware

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…