Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: security edits #92

Merged
merged 8 commits into from
Jan 27, 2025
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
wip: edit document
jolexxa committed Jan 22, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit ecd4ccd6c4ca0ea48e9e1f521f2a97457ffbbb50
24 changes: 19 additions & 5 deletions cspell.json
Original file line number Diff line number Diff line change
@@ -1,17 +1,28 @@
{
"$schema": "https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json",
"version": "0.2",
"ignorePaths": ["node_modules/**", ".**/"],
"files": ["**/*.md", "**/*.mdx", "**/*.tsx", "**/*.ts", "**/*.json"],
"ignorePaths": [
"node_modules/**",
".**/"
],
"files": [
"**/*.md",
"**/*.mdx",
"**/*.tsx",
"**/*.ts",
"**/*.json"
],
"words": [
"ABAP",
"Abuild",
"Agda",
"AMPL",
"ANTLR",
"Approov",
"astro",
"astrojs",
"Augeas",
"Backdoors",
"Batchfile",
"Befunge",
"Bidirectionality",
@@ -20,6 +31,7 @@
"Carto",
"Cirru",
"Codemagic",
"codesigning",
"Crunscript",
"Csound",
"Cuda",
@@ -34,10 +46,10 @@
"Eclass",
"Filebench",
"Filterscript",
"fontsource",
"Firestore",
"Formz",
"fontsource",
"formz",
"Formz",
"Frege",
"gaugecomponent",
"Genshi",
@@ -54,19 +66,21 @@
"Ioke",
"Ishida",
"Jailbreaking",
"Jailbroken",
"Jasmin",
"Jison",
"Jolie",
"Keyloggers",
"laboratoria",
"Linx",
"listview",
"listviews",
"Logtalk",
"LOLCODE",
"Mathematica",
"MASTG",
"MASVS",
"MASWE",
"Mathematica",
"mdlint",
"merch",
"Mirah",
205 changes: 98 additions & 107 deletions src/content/docs/security/security_in_mobile_apps.mdx
Original file line number Diff line number Diff line change
@@ -3,186 +3,177 @@ title: Security in Mobile Apps
description: Mobile app security threats and how to protect your app using OWASP Mobile's 10 best practices.
---

Mobile app security is a critical concern for developers and users alike. The [Open Web Application Security Project (OWASP)](https://owasp.org/) Mobile Security Project provides a comprehensive guide to the top 10 security risks for mobile apps. This article will cover the top 10 security threats and how to protect your app using OWASP Mobile's best practices.
But first let's take a look at the common mobile app security threats.
Mobile app security is a critical concern for developers and users alike. The [Open Web Application Security Project (OWASP)](https://owasp.org/) maintains industry-accepted mobile application security guidelines that should be followed when building multiplatform mobile applications.

:::danger
By far, the most common security threat is **social engineering**. Be sure to educate your team and create well-defined trust structures which require face-to-face confirmation for any proposed changes that affect security.
:::

## Common Mobile App Security Threats

- **Social Engineering**: is a manipulation tactic that exploits human error to gain unauthorized access to private information, systems, or valuables. In cybercrime, it involves deceiving users into revealing data, spreading malware, or granting access to restricted systems.

- **Malware**: Malicious software intentionally designed to harm, exploit, or compromise a mobile device, its data, or the user. Mobile app malware can take various forms, often disguised as legitimate apps or embedded within apps to deceive users into installing it on their devices.

- Trojan
- Trojans
- Spyware
- Adware
- Ransomware
- Banking Malware
- Keylogger
- Keyloggers
- Rooting/Jailbreaking Tools
- Worms
- Backdoor

and more.
- Backdoors

- **Phishing**: In a mobile app, it is a deceptive attempt by malicious actors to trick users into revealing sensitive information, such as login credentials, financial details, or personal data, through fraudulent means. Phishing typically relies on social engineering techniques to exploit user trust and manipulate users into taking actions that compromise their security.
- **Man in the middle attacks (MitM)**: Interception of communication between mobile apps and APIs, allowing attackers to eavesdrop or modify data
- **Phishing**: a deceptive attempt by malicious actors to trick users into revealing sensitive information such as login credentials, financial details, or personal data through fraudulent means. Phishing typically relies on **social engineering techniques** to exploit user trust and **manipulate users into taking actions that compromise their security.**
- **Man in the middle attacks (MitM)**: intercepting communication between mobile apps and servers, allowing attackers to eavesdrop or modify data.
- **Data breaches:** Unauthorized access leads to the exposure of sensitive user data. Risks include personal information (PII), credentials, and financial data.
- **Authentication attacks**: in a mobile app are attempts by malicious actors to exploit vulnerabilities in the app's authentication mechanisms to gain unauthorized access to user accounts, sensitive data, or application functionality. These attacks target flaws in how the app verifies the identity of its users or systems.
- **Authentication attacks**: attempts by malicious actors to exploit vulnerabilities in the app's authentication mechanisms to gain unauthorized access to user accounts, sensitive data, or application functionality. These attacks target flaws in how the app verifies the identity of its users or systems.
- Credential Stuffing
- Brute Force Attacks
- Phishing Attacks
- Session Hijacking
- Man-in-the-Middle (MitM) Attacks
- Password Reset Exploits
- _OAuth and Token-Based Attacks_: Attackers exploit vulnerabilities in OAuth flows or misconfigure token handling to gain unauthorized access.
- **Code tampering**: Unauthorized modification of the mobile app's code, potentially leading to functionality alterations or the injection of malicious code.
- **Reverse engineering**: Extraction of source code or sensitive information from the mobile app, often to create fake versions.
- **API Security risks**: Inadequate protection of APIs, leading to vulnerabilities such as unauthorized access, injection attacks, and data exposure.
- **Insecure data storage**: Weak encryption or improper storage of sensitive data on the device, making it vulnerable to unauthorized access.
- OAuth and Token-Based Attacks: Attackers exploit vulnerabilities in OAuth flows or misconfigure token handling to gain unauthorized access.
- **Code tampering**: Unauthorized modification of the mobile app's code, potentially leading to alterations in functionality or the injection of malicious code.
- **Reverse engineering**: Extraction of source code or sensitive information from the mobile app, often to create fake versions of the app.
- **Insufficient API Security**: Inadequate protection of APIs, leading to vulnerabilities such as unauthorized access, injection attacks, and data exposure.
- **Insecure Data Storage**: Weak encryption or improper storage of sensitive data on the device, making it vulnerable to unauthorized access.
- **Insufficient Transport Layer Protection:** Lack of proper TLS encryption during data transmission, exposing information to interception and manipulation.
- **Denial of Service (DoS) Attacks:** Overwhelming a mobile app or API with traffic disrupts its availability, causing service downtime.
- **Unsecured Third-Party Libraries:** Integration of insecure or outdated third-party libraries, introducing potential vulnerabilities into the mobile app.
- **Unsecured Third-Party Libraries:** Integration of insecure or outdated third-party libraries which introduce vulnerabilities into the mobile app.
- **Poorly Implemented Multi-Factor Authentication (MFA):** Inadequate implementation of MFA, allowing attackers to bypass additional authentication measures.
- **Supply Chain Attacks:** Compromising the security of a mobile app or API through vulnerabilities in its supply chain, including third-party services or components.
- **Social Engineering**: is a manipulation tactic that exploits human error to gain unauthorized access to private information, systems, or valuables. In cybercrime, it involves deceiving users into revealing data, spreading malware, or granting access to restricted systems.

And more.

## OWASP (Open Worldwide Application Security Project)
## OWASP Guidelines

The **Open Worldwide Application Security Project (OWASP)** is a globally recognized nonprofit organization dedicated to improving the security of software and web applications. Established in 2001, OWASP provides resources, tools, and best practices to help developers, organizations, and security professionals build secure applications and address vulnerabilities effectively.

### Importance of OWASP

- **Promotes Secure Development**: Encourages developers to integrate security practices from the ground up.
- **Universal Accessibility**: Resources are open-source and widely adopted across industries.
- **Standardization**: Sets benchmarks for assessing and improving application security.
- **Collaboration**: Facilitates knowledge sharing among global security professionals.

### OWASP Mobile Top 10 Security Risks in 2024

The OWASP Mobile Top 10 is a list of the most critical security risks for mobile apps, updated periodically to reflect emerging threats and trends. The latest version, OWASP Mobile Top 10 2024, highlights the following risks:
The OWASP Mobile Top 10 is a list of the most critical security risks for mobile apps and is updated periodically to reflect emerging threats and trends.

The latest version, OWASP Mobile Top 10 2024, highlights the following risks:

![OWASP comparison 2016 vs 2024](./images/owasp_comparison.png)
_Source_: [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

- **M1: Improper Credential Usage**: Threat agents can exploit hardcoded credentials or improper credential usage in mobile applications by using automated tools, either publicly available or custom-built. These vulnerabilities make it easier for attackers to locate and exploit the credentials or weaknesses in their implementation.

- **How to prevent it?**:
- Avoid hardcoding credentials in the app's code or configuration files.
- Implement secure credential storage mechanisms, such as the Android Keystore or iOS Keychain or use revocable tokens.
- Use strong encryption and hashing algorithms during credential storage and transmission.
- Avoid weak authentication mechanisms, such as weak passwords or insecure authentication flows.
#### Improper Credential Usage

Dart-crypt is an interesting package to hashing passwords in Dart. You can find more information about Dart-crypt.
Threat agents can exploit hardcoded credentials or improper credential usage in mobile applications by using automated tools, either publicly available or custom-built.

- [Dart-crypt](https://github.com/hoylen/dart-crypt)
:::danger
If your app requires access to sensitive API's, **you must not include those API keys in the front-end of your app.**

Use Firebase Authentication for a more secure authentication system. You can find more information in the official documentation.
It is impossible to secure any credentials that are shipped with an application, since **the compiled code for front-end applications is subject to reverse engineering** (no matter how clever you think you are).

- [Firebase Authentication](https://firebase.google.com/docs/auth)
Instead of shipping sensitive API keys in your app, create a microservice or cloud function which stores the API key securely in your backend (or leverage services like [Approov](https://approov.io/)). Yes, it's extra work — but it's mandatory for sensitive endpoints.
:::

Here you have another interesting article that talks about authentication in Flutter.
:::tip
- , Use the Android Keystore or iOS Keychain to store sensitive user information.
Copy link
Contributor

@AnnaPS AnnaPS Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can delete this ,

- Use strong encryption and hashing algorithms during credential storage and transmission.
- Avoid weak authentication mechanisms, including common/weak passwords or insecure authentication flows.
:::

- [Flutter authentication with Auth0](https://developer.auth0.com/resources/guides/mobile/flutter/basic-authentication/)
[Dart-crypt](https://github.com/hoylen/dart-crypt) allows you to salt and hash passwords easily.

More information on _M1: Improper Credential Usage_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage.html)
[Firebase Authentication](https://firebase.google.com/docs/auth) handles a wide variety of common security considerations and eliminates the need for highly sophisticated authentication for small to mid-size projects.

- **M2: Inadequate Supply Chain Security**: Attackers can exploit vulnerabilities in the mobile app supply chain, such as inserting malicious code during development or exploiting flaws in third-party libraries, SDKs, or hardcoded credentials. These actions can lead to data theft, user surveillance, unauthorized access to backend servers, denial of service, or full control over the app or device.
There's also a [Flutter-specific guide to Auth0](https://developer.auth0.com/resources/guides/mobile/flutter/basic-authentication/) if you're leveraging that in your application.

- **How to prevent it?**:
- Apply secure coding, code review, and testing throughout development.
- Ensure secure app signing and distribution to block malicious actors.
- Use trusted, validated third-party libraries to minimize risks.
- Implement security controls for updates and patches to address
vulnerabilities.
- Monitor and detect supply chain incidents with testing and scanning for timely responses.
For more information on _Improper Credential Usage_, [refer to the OWASP guide](https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage.html).

You can check the **Software supply chain security for Flutter and its ecosystem** video from the Flutter Forward 2023 conference.
#### Inadequate Supply Chain Security

- [Software supply chain security for Flutter and its ecosystem](https://www.youtube.com/watch?v=7LFftXcw1jA)
Attackers can exploit vulnerabilities in the mobile app supply chain, such as inserting malicious code during development or exploiting flaws in third-party libraries, SDKs, or hardcoded credentials.

Also, check it out the **SLSA** (Supply Chain Levels for Software Artifacts)security framework, which is a check-list of standards and controls to prevent supply chain attacks.
:::tip
- Leverage human-led code review (with automated tests, checks and analyzers).
- Ensure secure app signing and distribution to block malicious actors. Services like [Codemagic](https://codemagic.io/) can drastically simplify the code-signing process.
- Use trusted, validated third-party libraries to minimize risks.
- Implement a process that requires both a human and an automated vulnerability checker (such as dependabot) to review package updates and patches in your codebase.
- Stay up-to-date on supply chain incidents and open source package vulnerabilities.
- Carefully scan pull requests on your open source projects — many open source projects have accidentally merged malicious code by accident.
:::

- [SLSA](https://slsa.dev/)
You can check the [Software supply chain security for Flutter and its ecosystem video](https://www.youtube.com/watch?v=7LFftXcw1jA) from the Flutter Forward 2023 conference.

More information on _M2: Inadequate Supply Chain Security_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security.html)
The [**SLSA** (Supply Chain Levels for Software Artifacts) security framework](https://slsa.dev/) maintains a check-list of standards and controls to prevent supply chain attacks.

- **M3: Insecure Authentication/Authorization**: Threat agents that exploit authentication and authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools.
For more information on _Inadequate Supply Chain Security_, [refer to the OWASP guide.](https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security.html)

- **How to prevent it?**:
These are only a few of the many ways to prevent this threat:
- Use server-side authentication; avoid client-side methods to prevent bypasses.
- Encrypt local data if needed, but mitigate risks of binary attacks.
- Implement device-specific tokens instead of storing passwords or using weak identifiers.
- Make persistent authentication opt-in, and avoid weak PINs for passwords.
- Enforce all controls server-side; assume client-side can be bypassed.
- Use biometrics (FaceID, TouchID) for secure access to sensitive data.
- Perform local integrity checks if offline functionality is necessary.
#### Insecure Authentication/Authorization

This is an interesting article that talks about encryption and decryption in Flutter.
Threat agents that exploit authentication and authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools.

- [Encryption and Decryption in Flutter](https://medium.com/@laithalsahore19/explore-encrypt-decrypt-data-in-flutter-e1e64c86b0ee)

Use **local auth** package to add biometrics to the app.
:::tip
- Use server-side authentication.
- Encrypt local data.
- Use device-specific tokens instead of storing passwords or using weak identifiers.
- Make persistent authentication opt-in.
- Avoid weak PINs for passwords.
- Enforce all controls server-side; assume client-side can be bypassed.
- Use biometrics (FaceID, TouchID) for secure access to sensitive data.
- Perform local integrity checks if offline functionality is necessary.
:::

- [Local Auth](https://pub.dev/packages/local_auth)
For more on data safety, check out the [Encryption and Decryption in Flutter](https://medium.com/@laithalsahore19/explore-encrypt-decrypt-data-in-flutter-e1e64c86b0ee) overview.

More information on _M3: Insecure Authentication/Authorization_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization.html)
You can also use [Local Auth](https://pub.dev/packages/local_auth) to integrate biometric authentication.

- **M4: Insufficient Input/Output Validation**: insufficient validation and sanitization of user inputs or network data in mobile apps can lead to critical vulnerabilities, including SQL injection, command injection, and XSS attacks. These flaws may enable unauthorized data access, app manipulation, system compromise, data corruption, or malicious code injection, posing significant security risks.
For more information on _Insecure Authentication/Authorization_, [refer to the OWASP guide](https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization.html).

- **How to prevent it?**:
- **Input Validation**: Use strict validation, set length limits, and reject unexpected or malicious input.
- **Output Sanitization**: Sanitize output to prevent XSS (cross-site scripting) and use encoding for displayed or transmitted data.
- **Context-Specific Validation**: Adapt validation to the context of the data, such as database loads or queries, to block targeted attacks.
- **Data Integrity Checks**: Detect and prevent data corruption or unauthorized changes.
- **Secure Coding**: Use practices like parameterized queries to block SQL injection.
- **Regular Testing**: Conduct penetration testing and code reviews to find and fix vulnerabilities.
#### Insufficient Input/Output Validation

Use the **formz** package to validate forms in Flutter and prevent incorrect data to be sent to the backend.
Insufficient validation and sanitization of user inputs or network data in mobile apps can lead to critical vulnerabilities, including SQL injection, command injection, and XSS attacks.

- [Formz](https://pub.dev/packages/formz)
:::tip
- Use strict input validation, set length limits, and reject unexpected or malicious input.
- Sanitize output to prevent XSS (cross-site scripting).
- Use parameterized queries to block SQL injection.
- Work with external security vendors which can evaluate and test your application and its servers.
:::

Use persist data with SQLite to prevent SQL Injection.
Use the [Formz](https://pub.dev/packages/formz) package to validate forms in Flutter and prevent incorrect data to be sent to the backend.

- [Persist data with SQLite](https://docs.flutter.dev/cookbook/persistence/sqlite)
For more information on _Insufficient Input/Output Validation_, [refer to the OWASP guide](https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html).

More information on _M4: Insufficient Input/Output Validation_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html)
#### Insecure Communication

- **M5: Insecure Communication**: mobile apps often exchange data with remote servers, creating vulnerabilities if data is sent in plaintext or with outdated encryption. Threat agents can intercept or modify data, aiming for theft, espionage, or identity fraud. Key threats include:
Threat agents can intercept or modify insecure communications transferred between an app and the server.

- Adversaries on the same local network (e.g., compromised Wi-Fi).
- Unauthorized network devices (e.g. malicious routers or proxy servers).
- Malware on the mobile device itself.
When creating an app, assume threats can originate from any of the following:

- **How to prevent it?**:
- **Assume an Unsecure Network Layer**: Always secure transport channels against eavesdropping.
- **Use SSL/TLS**: Apply SSL/TLS for all data transmissions to backend services and third-party entities, avoiding mixed SSL sessions.
- **Use Trusted Certificates**: Implement certificates signed by trusted CAs and never allow untrusted, expired, or mismatched certificates.
- **Strong Encryption**: Use industry-standard cipher suites with appropriate key lengths.
- **Certificate Pinning**: Consider pinning certificates and always require SSL chain verification.
- **Server Authentication**: Verify endpoint server identities using trusted certificates before establishing connections.
- **User Alerts**: Notify users of invalid certificates through the app’s UI.
- **Secondary Encryption**: Encrypt sensitive data before sending it over SSL for additional protection.
- **Avoid Alternate Channels**: Never transmit sensitive data via SMS, MMS, or notifications.
- **Development Practices**: Use local development CAs and avoid disabling SSL verification.
- **Traffic Analysis**: During security testing, check for plaintext data transmission vulnerabilities.
- Adversaries on the same local network (compromised Wi-Fi).
- Unauthorized network devices (malicious routers or proxy servers).
- Malware on the mobile device itself.

If you're using Firebase, you can implement App Check to protect your backend from unauthorized clients accessing it. Learn more in the official documentation.
:::tip
- Use SSL/TLS for all data transmissions to backend services and third-party entities and avoid mixed SSL sessions.
- Only accept certificates signed by trusted certificate authorities (CA's) and never allow expired or mismatched certificates.
- Use current, industry accepted encryption algorithms with appropriate key lengths (AES-128 is a good start). Encryption algorithms are subject to mathematical analysis: some older algorithms have been identified by mathematicians and experts as being easier to exploit.
- Pin certificates and require SSL chain verification.
- Never transmit sensitive data via unencrypted channels (like SMS or via push notifications).
- During security testing, conduct traffic analysis to verify no plaintext data transmissions.
:::

- [Firebase App Check](https://firebase.google.com/docs/app-check)
If you're using Firebase, you can implement [Firebase App Check](https://firebase.google.com/docs/app-check) to protect your backend from unauthorized clients accessing it.

This article explains how to add SSL certificate pinning to a Flutter app.
For more on certificates, see [SSL Certificate Pinning in Flutter](https://dwirandyh.medium.com/securing-your-flutter-app-by-adding-ssl-pinning-474722e38518).

- [SSL Certificate Pinning in Flutter](https://dwirandyh.medium.com/securing-your-flutter-app-by-adding-ssl-pinning-474722e38518)
You may also use a package called [Http Certificate Pinning package](https://pub.dev/packages/http_certificate_pinning) to add certificate pinning to your app.

Also you can use a popular package called **http certificate pinning** to add certificate pinning to your app.
For more information on _Insecure Communication_, [refer to the OWASP guide](https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication.html).

- [Http Certificate Pinning package](https://pub.dev/packages/http_certificate_pinning)
#### Inadequate Privacy Controls

More information on _M5: Insecure Communication_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m5-insecure-communication.html)
Privacy controls are concerned with protecting personally identifiable information (PII), such as names and addresses, credit card information, email and IP addresses, health information, religion, sexuality, and political opinions.

- **M6: Inadequate Privacy Controls**: Privacy controls are concerned with protecting personally identifiable information (PII), such as names and addresses, credit card information, email and IP addresses, health information, religion, sexuality, and political opinions.
This information is valuable to attackers for a number of reasons. For example, an attacker could impersonate the victim to commit fraud, misuse the victim's payment details, blackmail the victim with sensitive information, or harm the victim by destroying or tampering with their critical data.
This information is valuable to attackers for a number of reasons. For example, an attacker could impersonate the victim to commit fraud, misuse the victim's payment details, blackmail the victim with sensitive information, or harm the victim by destroying or tampering with their critical data.

- **How to prevent it?**:
The best way to prevent privacy violations is to minimize the collection and processing of Personally Identifiable Information (PII). This requires a full understanding of the app's PII usage.