According to High-Tech Bridge’s CEO, Ilia Kolochenko, many companies still believe that mobile application security is limited to the application, completely forgetting about the backend of a system.
Kolochenko revealed that mobile app per se usually contains various weaknesses that often require some social engineering or additional exploitation conditions such as an attacker’s presence in the same wi-fi network or a malicious app already installed on a victim’s device.
“This is a very risky practice: in our experience, as the majority of exploitable high-risk vulnerabilities are located in the backend (e.g. web services or APIs that the mobile app use),” he said.
According to him, the most complicated component of a mobile infrastructure is the backend where mobile app sends and receives data. If it’s a gaming app, usually not much is at stake.
However, he added that, if the mobile app stores or processes any sensitive or confidential information on the backend (e.g. payment apps), one backend vulnerability can lead to a breach of all app users and their data.
The backend is also a pretty difficult target for testing: developers often omit documentation, and in order to undertake rigorous testing, you have to interact with the application and intercept outgoing and incoming traffic.
Kolochenko continued: “Proper encryption of mobile app and backend communications is very important and actually not very complicated to implement. If an app sends any sensitive data via unencrypted HTTP protocol it can easily be intercepted by anyone in the same wireless network.
“Sometimes attackers breach wireless routers to log all traffic and automatically grep for passwords sent over the network in plaintext. In this case, attackers don’t have to join the network and can operate from another continent.”
He also noted that one backend business logic flaw can create a lot of trouble, as they require a thorough understanding of the underlying business processes. For example, if a client is entitled to three free refunds per item in the case of a purchase under US$100, this is something that will unlikely be spotted during a classic assessment and will require additional time and cooperation with the customer to be detected.
Written by Leah Alger