Mobile developers make the same mistake as web developers in the early 2000s

Mobile application developers who are going through 'painful times' are the same as web developers (webdevs) in the 1990s and 2000s when the input data validation led to many security issues. Although they learned how to filter out dangerous strings from user input, some still make mistakes.

Business logic towards customers like 1999

New research published by two researchers from Texas A&M University shows that a problem that many mobile applications today encounter belongs to business logic (business logic - such as appraisal of input data, authentication of people use) is in the client-side components of the code and not the server side.

This makes many mobile application users vulnerable to even simple attacks such as injecting malicious code from HTTP requests, which can be easily mitigated if the application's business logic is included in the component side. server.

Mobile developers make the same mistake as web developers in the early 2000s Picture 1
Not only is the design error, this is a bug related to the security of mobile applications

Leaving the business logic on the client side sounds like a design error but is actually a serious security issue. For example, if an attacker can analyze a mobile application, determine the format of the web request sent to that application server after the user input is verified. It is then possible to edit the parameters of the request to perform bad behavior.

Millions of applications are at risk

The two researchers created the WARDroid system, analyzing a range of mobile applications to determine the format of the web request, and whether it was vulnerable to these types of attacks. WARDroid randomly checks 10,000 applications on Google Play Store and 'detects API errors in more than 4,000 applications, including 1,743 applications using unencrypted HTTP protocols'.

WARDroid does not have to make sure that the application's communication pattern is vulnerable to attack, so the two researchers have manually analyzed randomly 1,000 applications that have been warned, confirming that 962 applications use the API. there is a logical error. If they expand on both Play Store, they believe that the number will be more.

See more:

1. 5 types of mobile applications should not be installed on smartphones
2. These programming languages ​​for the best mobile application development
3. 5 free application building platforms do not need code