The Open Web Application Security Project (OWASP) has listed Insecure Authentication as the fourth most exploited risk in mobile applications. Insecure Authentication exploits vulnerable authentication schemes by faking or bypassing authentication. They do so by submitting service requests to the mobile app’s backend server, in order to bypass any direct interaction with the mobile app. The attacker carries out this process via mobile malware within the device or by unleashing botnets.
An eavesdropper could reveal sensitive administrative and encrypted communications if he encounters insecure authentications and unencrypted communications. Such poorly implemented authentication schemes allow the potential adversary to execute functionality within the mobile app or backend server anonymously. Weaker authentication in mobile can arise from a mobile device’s input form factor. Authentication requirements for mobile apps can be quite different from traditional web authentication schemes due to availability requirements. The form factor highly encourages short passwords that are often purely based on 4-digit PINs.
Vulnerability Impact
While Insecure authentication is a commonly prevalent in mobile devices and it undergoes average detectability, its technical and business impacts are severe.
Poor authentication results into the app unable to identify the user performing an action request. The app becomes incapable of identifying the user and will be unable to log or audit user activity. This, in turn, will turn the app incapable of detecting the source of an attack, the nature of underlying exploits and form defense against any future attacks.
If strong authentication policies are not in place, it’ll ultimately lead to the following business: Reputational Damage, Information Theft, or Unauthorized Access to Data.
How to know if your device is vulnerable to ‘Insecure Authentication’?
A mobile app may suffer from insecure authentication in numerous ways:
- If a mobile application is able to anonymously execute a backend API service request without providing an access token, this application is highly vulnerable to insecure authentication;
- If the mobile application ends up storing passwords or shared secrets locally on the device, it indicates vulnerability to insecure authentication;
- If the mobile application encourages a weak password policy to simplify the password being entered, it is vulnerable to insecure authentication;
- If the mobile application uses a feature like TouchID, it suffers from insecure authentication.
How To Prevent ‘Insecure Authentication’?
Avoid weak mobile application authentication design patterns
- Ensure that the authentication requirements of mobile applications should match that of the web application component if you are porting a web application to its mobile equivalent.
- Local authentication of a user can lead to client-side bypass vulnerabilities. If the application stores data locally, using run-time manipulation or modification of the binary, the authentication routine can be bypassed on jailbroken devices.
- Ensure that all authentication requests are performed on server-side. The application data will be loaded onto the mobile device, upon successful authentication. This will ensure that application data will only be available after successful authentication.
- For client-side storage of data, the data should be encrypted using an encryption key which is securely derived from the user’s login credentials. This will ensure that the stored application data will only be accessible upon successfully entering the correct credentials.
- Persistent authentication i.e the Remember Me functionality implemented within mobile applications should never store a user’s password on the device;
- Ideally, mobile applications should utilize a device-specific authentication token that can be revoked within the mobile application by the user. This will ensure that the app can mitigate unauthorized access from a stolen/lost device;
- Do not use any spoof-able values for authenticating a user. This includes device identifiers or geo-location;
- Persistent authentication within mobile applications should be implemented as opt-in and not be enabled by default;
- If possible, do not allow users to provide 4-digit PIN numbers for authentication passwords.
2. Reinforce Authentication
- Developers should remember that malicious users can bypass all client-side authorization and authentication controls. Thus, whenever possible, authorization and authentication controls must be re-enforced on the server-side.
- Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app’s code. If this is the case, developers should instrument local integrity checks within their code to detect any unauthorized code changes.
Worried that your phone might be vulnerable to such threats? Protect your mobile now with Astra’s Complete Security Suite for Android and iOS apps