Jump to content

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s


Recommended Posts


Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents.


But while mobile devs have learned to filter user input for dangerous strings, some of these devs have not learned their lesson very well.


Business logic on the client-side... like it's 1999


In a research paper published earlier this year, Abner Mendoza and Guofei Gu, two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section.


This regretable situation leaves the users of these mobile applications vulnerable to simple HTTP request parameter injection attacks that could have been easily mitigated if an application's business logic would have been embedded inside its server-side component, where most of these operations belong.


But while leaving business logic on the client-side might sound more of an app design mistake, it is actually a big security issue. For example, an attacker can analyze a mobile app (that he installed on his device) and determine the format of the web requests sent to the mobile app's servers after the user's input is validated. The attacker can then modify a few parameters of these requests in order to poison the desired action


Millions of apps potentially affected


In a research paper titled "Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities," Mendoza and Gu have recently taken a look at this ancient, yet still valid, attack vector.


The two researchers created a system named WARDroid that mass-analyzes mobile apps, determines the format of their web requests, and tries to determine if these are vulnerable to these types of attacks.


Researchers said they tested WARDroid on a set of 10,000 random popular apps from the Google Play Store.

"We detected problematic logic in APIs used in over 4,000 apps, including 1,743 apps that use unencrypted HTTP communication," researchers said.


Bt since WARDroid was not a secure indicator that the app's communications template was vulnerable, the two researchers also manually analyzed 1,000 random apps from the ones flagged by their system, confirming that 962 used APIs with validation logic problems. Extrapolating this numbers to the whole Google Play Store, the two academics believe millions of apps might be vulnerable.

Issues found in banking and e-commerce apps


For example, some of the apps where they found problematic API logic include a banking app, where they said they were able to modify transaction details.


Similarly, they also found validation logic flaws in gift card apps that allowed them to load a test account with money to spend at various stores, and similar validation logic flaws in the communications model of apps build using the Shopify SDK. This latter flaw allowed the research team to buy products for negative prices, creating discounts inside Shopify-based mobile stores.


"You never wanna trust the client input. This is a harsh lesson that should have already been learned from the lessons on the web platform and web applications," Mendoza said on stage while presenting his research at the 39th IEEE Symposium on Security and Privacy, held in San Francisco two weeks ago.


"This work highlights that this continues to be the problem —input validation and just being very cognisant of validating or sanitizing input," said Mendoza, also highlighting that server-side business logic should be as strict as the client-side validation logic, if not stricter.




Link to comment
Share on other sites

  • Replies 1
  • Created
  • Last Reply

LOL history always repeats  itself  but really has windows security even got any  better since the early 2000s . I dont think it has out of every platform Windows  has the highest rate of infection but dont fool yourself you can even be infected on any platform . Most Devs are in it to make a profit and it don't always be hackers that be infecting you anymore just like they find all these infected apps in Google store they found a  DEV in Ubuntu snap store who was putting crypto miners in his apps . So be careful out there what you install . All they can do is remove it if something like this gets by . Most legacy  apps on windows are not even regulated very well there not in no store and you're at a devs whim. Lucky for windows users  most software has been around since the early 2000s and new development is just about dead unless it's cross platform.


As far as HTTP VS HTTPS this is never a problem for me no matter what platform I'm on I always run all my traffic through a vpn so it's all encrypted  . Https is no better than Http anymore hackers and security researchers have done exploited it to death and it's needs replaced with stronger encryption  . The internet are like 10 years behind times and i dont trust https ether it's full of holes . A hacker can attack you and not even have to hack into https witch they have been doing for years . All these sites that are pushing for https  have been breached using it before so it's a oxymoron to be pushing for something that  has already been hacked a million times. A hacker can just do a DNS  attack and get around Https . This is what ISPs do to spy on you when using Https and if you are using you're isp  DNS  they still see you and Https is not going to save you from hackers that know how to exploit it. 


Https is pseudo security   when you use it on Google , Facebook , or Microsoft sites it dont protect you from them harvesting you're data and it will not protect you from a skilled hacker from stealing your info.  The reason Https is being pushed is because Big Tech companies can hide behind it and you can not prove what they are doing with you're data . It's more to protect them from you, then it is to protect you. It's all smoke and mirrors . If you do stupid things and don't use conman sense nothing is going to save you. There is no magic pill or cure.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...