AuthenticationandAuthorization
Inmostcases,sendinguserstologintoaremoteserviceisanintegralpartoftheoverallmobileapparchitecture.
Eventhoughmostoftheauthenticationandauthorizationlogichappensattheendpoint,therearealsosome
implementationchallengesonthemobileappside.Unlikewebapps,mobileappsoftenstorelong-timesession
tokensthatareunlockedwithuser-to-deviceauthenticationfeaturessuchasfingerprintscanning.Whilethisallowsfor
aquickerloginandbetteruserexperience(nobodylikestoentercomplexpasswords),italsointroducesadditional
complexityandroomforerror.
Mobileapparchitecturesalsoincreasinglyincorporateauthorizationframeworks(suchasOAuth2)thatdelegate
authenticationtoaseparateserviceoroutsourcetheauthenticationprocesstoanauthenticationprovider.Using
OAuth2allowstheclient-sideauthenticationlogictobeoutsourcedtootherappsonthesamedevice(e.g.thesystem
browser).Securitytestersmustknowtheadvantagesanddisadvantagesofdifferentpossibleauthorization
frameworksandarchitectures.
InteractionwiththeMobilePlatform
Mobileoperatingsystemarchitecturesdifferfromclassicaldesktoparchitecturesinimportantways.Forexample,all
mobileoperatingsystemsimplementapppermissionsystemsthatregulateaccesstospecificAPIs.Theyalsooffer
more(Android)orlessrich(iOS)inter-processcommunication(IPC)facilitiesthatenableappstoexchangesignals
anddata.Theseplatform-specificfeaturescomewiththeirownsetofpitfalls.Forexample,ifIPCAPIsaremisused,
sensitivedataorfunctionalitymightbeunintentionallyexposedtootherappsrunningonthedevice.
CodeQualityandExploitMitigation
Traditionalinjectionandmemorymanagementissuesaren'toftenseeninmobileappsduetothesmallerattack
surface.MobileappsmostlyinteractwiththetrustedbackendserviceandtheUI,soevenifmanybufferoverflow
vulnerabilitiesexistintheapp,thosevulnerabilitiesusuallydon'topenupanyusefulattackvectors.Thesameapplies
tobrowserexploitssuchascross-sitescripting(XSSallowsattackerstoinjectscriptsintowebpages)thatarevery
prevalentinwebapps.However,therearealwaysexceptions.XSSistheoreticallypossibleonmobileinsomecases,
butit'sveryraretoseeXSSissuesthatanindividualcanexploit.FormoreinformationaboutXSS,seeTestingfor
Cross-SiteScriptingFlawsinthechapterTestingCodeQuality.
Thisprotectionfrominjectionandmemorymanagementissuesdoesn'tmeanthatappdeveloperscangetawaywith
writingsloppycode.Followingsecuritybestpracticesresultsinhardened(secure)releasebuildsthatareresilient
againsttampering.FreesecurityfeaturesofferedbycompilersandmobileSDKshelpincreasesecurityandmitigate
attacks.
Anti-TamperingandAnti-Reversing
Therearethreethingsyoushouldneverbringupinpoliteconversations:religion,politics,andcodeobfuscation.Many
securityexpertsdismissclient-sideprotectionsoutright.However,softwareprotectioncontrolsarewidelyusedinthe
mobileappworld,sosecuritytestersneedwaystodealwiththeseprotections.Webelievethere'sabenefittoclient-
sideprotectionsiftheyareemployedwithaclearpurposeandrealisticexpectationsinmindandaren'tusedto
replacesecuritycontrols.
TheOWASPMobileAppSecVerificationStandard
ThisguideiscloselyrelatedtotheOWASPMobileApplicationSecurityVerificationStandard(MASVS).TheMASVS
definesamobileappsecuritymodelandlistsgenericsecurityrequirementsformobileapps.Itcanbeusedby
architects,developers,testers,securityprofessionals,andconsumerstodefineandunderstandthequalitiesofa