Mobile Top 10 2014-M5

Threat Description  Attack Vector Description Security Weakness Description Technical Impacts Business Impacts

Avoid the following Insecure Mobile Application Authentication Design Patterns:


 * Authentication requires that mobile applications should match the security protections that of the web application component. Therefore, it should not be possible to authenticate through with less authentication factors then it would be possible through the web browser.
 * Authenticating a user locally can lead to client-side bypass vulnerabilities. If the application stores data locally, the authentication routine can be bypassed on jailbroken devices through runtime manipulation or modification of the binary.
 * Ensure all authentication requests are performed server-side. Upon successful authentication, application data will be loaded onto the mobile device. This will ensure that application data will only be available after successful authentication.
 * If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. This will ensure that the stored application data will only accessible upon successfully entering the correct credentials.
 * Persistent authentication (Remember Me) functionality implemented within mobile applications should never be implemented by storing a user’s password on the device.
 * Ideally, mobile applications should utilize a device-specific authentication token, which can be revoked within the web application by the user. This will ensure that unauthorized access can be mitigated in the event of a stolen/lost device.
 * Do not use any spoof-able values for authenticating a user. This includes device identifiers or geo-location.
 * Persistent authentication within mobile applications should be implemented as opt-in and not enabled by default

Developers should assume all client-side authorization controls can be bypassed by malicious users. Authorization controls should be re-enforced server-side whenever possible.

Example Scenarios

References