Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents.
But while mobile devs have learned to filter user input for dangerous strings, some of these devs have not learned their lesson very well.
Business logic on the client-side… like it’s 1999
In a research paper published earlier this year, Abner Mendoza and Guofei Gu, two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section.
This regretable situation leaves the users of these mobile applications vulnerable to simple HTTP request parameter injection attacks that could have been easily mitigated if an application’s business logic would have been embedded inside its server-side component, where most of these operations belong.
But while leaving business logic on the client-side might sound more of an app design mistake, it is actually a big security issue. For example, an attacker can analyze a mobile app (that he installed on his device) and determine the format of the web requests sent to the mobile app’s servers after the user’s input is validated. The attacker can then modify a few parameters of these requests in order to poison the desired action.
Millions of apps potentially affected
In a research paper titled “Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities,” Mendoza and Gu have recently taken a look at this ancient, yet still valid, attack vector.
The two researchers created a system named WARDroid that mass-analyzes mobile apps, determines the format of their web requests, and tries to determine if these are vulnerable to these types of attacks.
Researchers said they tested WARDroid on a set of 10,000 random popular apps from the Google Play Store.
“We detected problematic logic in APIs used in over 4,000 apps, including 1,743 apps that use unencrypted HTTP communication,” researchers said.
Bt since WARDroid was not a secure indicator that the app’s communications template was vulnerable, the two researchers also manually analyzed 1,000 random apps from the ones flagged by their system, confirming that 962 used APIs with validation logic problems. Extrapolating this numbers to the whole Google Play Store, the two academics believe millions of apps might be vulnerable.
Issues found in banking and e-commerce apps
For example, some of the apps where they found problematic API logic include a banking app, where they said they were able to modify transaction details.
Similarly, they also found validation logic flaws in gift card apps that allowed them to load a test account with money to spend at various stores, and similar validation logic flaws in the communications model of apps build using the Shopify SDK. This latter flaw allowed the research team to buy products for negative prices, creating discounts inside Shopify-based mobile stores.
“You never wanna trust the client input. This is a harsh lesson that should have already been learned from the lessons on the web platform and web applications,” Mendoza said on stage while presenting his research at the 39th IEEE Symposium on Security and Privacy, held in San Francisco two weeks ago.
“This work highlights that this continues to be the problem —input validation and just being very cognisant of validating or sanitizing input,” said Mendoza, also highlighting that server-side business logic should be as strict as the client-side validation logic, if not stricter.