Implementing Input Validation
A mobile application accepts various inputs from a user. These inputs may be passed to the application’s backend server as well. Data is validated for its format and values. Such data validations are done at the app as well as at the server level. When a user provides an input, it is validated. If the information is passed on to the server, then the server performs its validation. Not checking data can pose a threat. Let’s have an example.
A mobile app has a backend server as well. The app has a few input fields in which users enter data. The data is passed on to the server. Neither the app nor the server validates data. The client and server trust each other, so authentication is not enforced at either end. An attacker wants to obtain the app’s confidential data. He has a program that steals data from the database, modifies the database, and can hijack a session as well. The attacker types the program in one of the input fields instead of a data value and submits. The script is accepted by the mobile application and passed over to the server. Upon reaching the server, the script accesses its database, steals and deletes essential data. Whenever a new user connects with the server, the script transfers itself to the user’s device. Once there, it accesses the session cookies and manipulates their contents.
It is necessary to perform input validations at both application and server levels to prevent the scenario mentioned above. Performing checks at the application level would prevent attackers from injecting harmful inputs into the app. Validating at the server level would keep the server secured even if the mobile application on one of the devices gets infected. Subsequently, it would prevent other users’ devices from malware, as well.