Mobile application security - (not)Unique experience

Mobile application security

In 2022, our team discovered 216 vulnerabilities during studies of 25 pairs of apps for Android and iOS platforms. The storage of user data in clear text accounted for the largest share of vulnerabilities (14%). Despite the efforts of operation system developers and secure application development communities, this class of vulnerability has continued to be the most prevalent for several years in a row. This trend will remain relevant in 2023, although it is now very simple to use cryptography in mobile applications: both vendor and open-source solutions make working with cryptographic primitives easier for developers. Vulnerabilities related to application integrity checks and storing confidential information in the code shared second place, with 9% each. Third place (8%) was taken by vulnerabilities related to untrusted environment checks.

If the above vulnerabilities can be found in an application, this indicates that the developers are not strict enough when controlling the integrity of their applications and execution environment. If we add to this the lack of good code obfuscation (we found this combination in 36% of the applications we studied in 2022), this creates a favorable situation for attackers: it becomes very easy to conduct qualitative analysis, which, in turn, makes it simpler to create bots, clones and trojans targeting specific products.

The number of vulnerabilities has decreased

The most curious trend of 2022 was that certain vulnerability classes were absent in applications. For example, developers no longer store cryptographic keys in the file system and don’t allow errors that make it possible to traverse directories (Path Traversal). We encountered the vulnerability related to insecurely sending implicit inter-process messages only once in 2022, down from the six cases we found in the year prior. This is due to the fact that developers have begun to apply good architectural practices more often, significantly reducing the attack surface of applications and even completely neutralizing some types of vulnerabilities. For example, in Android applications using the Single Activity approach there is only one activity, which significantly reduces the number of possible entry points. This approach makes it easier for developers to control and secure application entry points. We expect this positive trend to get stronger in 2023.

New versions of operating systems also help application developers: more granular permissions are being introduced for performing system operations and a number of permissions can be requested each time. For example, now you don’t need to permanently give the application permission to access your geolocation.

Fake apps are the scourge of 2022-2023

In the past year, the problem of cloned and fake apps reached a new level. The mobile applications of many companies were removed from official stores, so users had to look for them on other sites. Attackers did not fail to take advantage of this and began to actively spread fake applications. Another interesting point: in order to install an application from a third-party source on your smartphone, you need to enable the corresponding function (downloading from non-official stores is prohibited by default by Android and iOS developers). Previously, attackers tricked users into activating it; now users are forced to give installation permission on their own, and it’s often impossible to be sure that an application is the original when downloading from an unknown source. For example, scammers can modify the application of a well-known bank and steal the password from a personal account. The situation was exacerbated by the mobile application developers themselves when they began to place their apps in official stores under new names and on behalf of different companies . From then on, it became even more difficult to understand which products are legitimate and which are not. In our view, the creation of fake apps will remain one of the top cyberthreats in 2023.

Domestic app stores enter the arena

The launch of Russian app stores designed to replace Google Play and the App Store was another enforced trend in 2022. Attracting users and gaining their trust won’t be an easy task. Participating in bug bounty programs and cooperating with communities of information security specialists can help with this. The main problem with domestic stores is that they are in fact just ordinary user applications without any special rights in the system. As a result, it’s necessary to give the same permission as when installing an application from an untrusted source. This permission poses the greatest danger for Android versions below 9 (Pie), because it is issued to the entire system at once. In version 9, this has changed, and now the right to install can be given to each specific application separately. This means you can grant permission to the installed app store and then only it will be able to install from untrusted sources. This approach somewhat reduces the attack surface. As we see it, cooperation between the developers of domestic stores and operating system suppliers could solve the problem. It’s possible that the first integrations with Chinese vendors will start to appear in 2023. Another option is to create a domestic operating system in which such app stores would be installed in the system by default.

It’s time to systematize vulnerabilities in mobile applications

Global trends in mobile app vulnerabilities continue to surprise us year after year: WhatsApp integer overflow ( CVE-2022-36934, CVE-2022-27492), TikTok account takeover via deeplink (CVE-2022-28799) and a similar link processing issue at Zoom (CVE-2022-28763). In addition, researchers were able to hack Tesla by conducting an MITM attack on the Bluetooth Low Energy connection between a car and the mobile app (CVE-2022-37709). This list of incidents is just a small part of what became publicly known in 2022. It’s worth noting that these are not new types of attacks or unknown exploits, but typical vulnerabilities that we see every year. This points to one obvious conclusion: developers do not learn from their mistakes. Why? Perhaps it comes down to a lack of tools. Overall, the global information security community pays very little attention to the classification of vulnerabilities in mobile applications. The OWASP Mobile Top 10, a ranking of the most frequently encountered threats, has not been updated since 2016, while the OWASP Top 10 for web threats was updated in 2021. The top three positions in the ranking of application vulnerabilities are held by “Improper Platform Usage”, “Insecure Data Storage”, and “Insecure Communication”, which differs from the results of our application security studies in 2021 and 2022. A more recent standard, the OWASP Mobile Application Security Verification Standard (MASVS), is written from the standpoint of application testing by the developer, not by the attacker. In this regard, it has become necessary to make a classification of application vulnerabilities similar to the one that already exists for web applications.

In 2023, the problem of the lack of mobile application security analysis specialists will still be present. At the same time, the development of thematic communities, bug bounty programs (including Russian ones), and the emergence of more advanced tools will encourage the appearance on the market of more specialists in this field—and with it the strengthening of mobile application security.

See also

comments powered by Disqus