Risks of Not Setting Secure Flag Attribute in Cookies
Mobile applications have backend servers running on remote computers. Apps and servers communicate with each other frequently. Servers often pass cookies to mobile apps at the beginning of a session. Mobile apps would integrate the cookie in each subsequent dialogue with servers until the user session expires. Cookies help servers with identifying clients, and other session specific information. Servers can ask apps to send over cookies. If, a cookie falls into the wrong hands, its information could be used for inflicting damage. Below is an example of what an attacker may do.
A mobile app (client) is communicating with its server. A cookie is maintained that contains information that uniquely identifies the mobile app. The cookie is stored at the mobile app’s side. Upon request, the app sends over the cookie. There is no restriction over the app as to what type of requests shall be responded to. An attacker requests for the cookie over a non-secured connection. The cookie is sent. Since the connection is non-secured, the data is not encrypted. This way, the attacker manages to retrieve the cookie’s contents in the plain-text format. The attacker uses the credentials stored in the cookie and gains access to the server, subsequently deleting user data.
It is possible to filter to whom a cookie would be shared. Cookies have an attribute named ‘secure’. If this attribute is enabled, then the cookie is shared with only the secured connections. As a result, its contents are encrypted whenever sent across.