Improper Error Handing
Whenever an error condition occurs, mobile applications show a message. Such messages are stored in the system by default. It is possible to customize such messages as well. Displaying default error messages to users is a bad practice.Content of these messages may provide insights to attackers useful for inflicting damage. Let us have an example of a mobile app to see how an attacker may observe an error message and carry out an attack.
In the mobile application, users have to login first, to use it. In case the user input does not match with one of the entries stored in the database, then an error message is displayed. This mobile application error message is not customized. The default message reveals which database is used (E.g. Oracle DB, MySQL) along with mentioning that the authentication has failed. An attacker wants to damage the application’s database. He purposefully enters incorrect credentials. The error message reveals the name of the database. The attacker makes use of a known vulnerability of the database system and deletes critical data.
The solution is to customize the error messages. Customizing error messages allows developers to determine what text is displayed. Thereby, it is possible to prevent the system from revealing sensitive information to users.