Mobile application security issues: Overview of practices to plug vulnerabilities – 4
Web applications comprise of critical application data and a majority of application functionality. Therefore, a mobile application’s security is a critical aspect. There are some activities if permitted by web applications to be done by users, can be used to breach the application’s security. A few potential security loopholes of these types are illustrated below
Terminating User Session
Servers maintain user sessions. Those sessions contain user-specific information. When a user’s session is active at the server, he/she does not need to authenticate upon visiting the portal. This scenario can be exploited by an attacker. In case the access is gained to a user’s machine, then an infiltrator can access the user’s data stored on the server, inflicting damage, subsequently.
Weak Password Policy
Allowing users to set weak passwords is not ideal. A weak password can be guessed easily, leading to access gain. Applications must enforce a strong password policy to avoid access by illegitimate users. Setting a hard password makes it difficult to guess, reducing the possibility of password theft.
Enabling Auto-Complete Feature
Enabling the auto-complete feature fills up data into form fields, automatically. A few data items amongst that data could be sensitive, though. In case a person with malicious intent gains access to a user’s browser, he/she can obtain sensitive the information auto-populated by the browser.
The malpractice of getting users to perform a different activity than intended is known as clickjacking. Such activities are used for malicious purposes like stealing money from a user’s bank account etc. Attackers make use of a user interface element called iframe for carrying out such activity. Using iframe allows one webpage to be displayed within another.
Allowing Simultaneous Logins
Many applications allow users to log in from multiple machines, simultaneously. This facility is convenient for users but can lead to a security breach. A person who gains access to the session URL and other device-specific information can gain access to the application using that information.