Mobile Application Security: Overview Of Practices To Plug Vulnerabilities – 3
Mobile applications communicate with their backend servers over a network. This communication involves verifying identity, sending messages, and accepting/rejecting connections that request for a dialogue. Various aspects need to be configured carefully to ensure no security loophole exists. A few such potential vulnerabilities are narrated below.
Mobile apps and their servers communicate with each other. It is vital to verify identity at the beginning. ‘Certificates’ are used for this purpose. However, if an app does not have a copy of the certificate, then it may be deceived by an impersonator, breaching its security.
Risks of Not Setting Secure Flag Attribute in Cookies
Server configures cookies at client-side. So, servers decide what type of connections apps can communicate with. If apps are allowed to communicate with non-secured with connections, then their messages’ data could be obtained by an attacker, who misuses it.
Setting Cookie Path Attribute
The ‘Path’ attribute in a cookie decides upon the requests that the application would respond to. It is recommended to set the path to the bottom-most folder of the server’s folder structure, where the app’s functionality lies.
SSL and TSL Protocol Based Vulnerabilities
SSL and TLS protocols are used for securing communication. Older versions of these protocols have a few vulnerabilities. If an application supports that versions then an attacker may force the app to use those, and obtain the traversing information.
Unsafe HTTP Methods
HTTP methods are used for communication by mobile apps and their backend servers. These methods are not entirely safe, though. So, it is advisable to disable all the HTTP methods that are not useful, thereby keeping the potential vulnerabilities to a minimum.
Using Raw SQL Queries
Raw SQL queries allow users to specify query parameters. This is a potential loophole, as a user with malicious intent can inject a malware by defining an additional parameter. That is the reason why parameterized queries shall be used, which do not allow users to define parameters.