Things Our Developers (Don't) Do!

Missing Culture of Security

...in programming world

1. Trusting 3rd Party Libraries

The Mechanism

Victim?

It affected those 3rd-party applications that used "Sign in with Apple" without implementing their own additional security measures

Damage?

A full account takeover of user accounts was possible on these 3rd-party applications irrespective of whether victim had a valid Apple ID or not

Learning!

Do not trust external entities

2. Insecure Authorization (API)

Learning!

Implement server-side authorisation checks to identify and block unauthorised requests from non-privileged user accounts

3. Insecure  Authorization (AWS)

The Mechanism

Feature...

"Amazon Cognito supports unauthenticated identities. If your application allows customers to use the application without logging in, you can enable access for unauthenticated identities."

Flaw?

Each AWS Cognito identity pool that is configured with an unauthenticated role could potentially be vulnerable to  breaches affecting least privilege principle, allowing unauthorised users access to potentially sensitive and private information stored in AWS services

List of AWS services potentially accessible by unauthenticated users

Learning!

Always follow the least privilege principle when configuring IAM roles, i.e., each AWS Cognito role should have the smallest set of AWS permissions required to perform respective user actions

4. Improper API Rate Limiting

Expectation?

If you hit a rate limit, it's expected that you back off from making requests and try again later when you're permitted to do so. Failure to do so may result in the banning of your app.

Reality!

  • X-RateLimit-Reset response header was missing
  • X-RateLimit-Remaining response header was getting reset to higher value unexpectedly
  • As good as not having rate limiting

Learning!

Implement API rate limiting checks effectively so that brute force attacks could be prevented

5. Improper App Hardening

Attack?

  1. Attackers attempt to reverse-engineer your mobile app
  2. Attackers try to intercept communication between the server and the app

Protection!

  • Root and Jailbreak detection
  • Emulator detection
  • Obfuscation
  • Encryption
  • Certificate pinning
  • Tamper prevention
  • etc.

Reverse Engineer

Intercept Calls to SSL Libraries

Learning!

  1. Disallow app installation if a rooted/jailbroken device is detected
  2. Ensure strong anti-tamper and obfuscation systems are in place

6. Sensitive Files in App Bundle

Extract Bundled Resources

Learning!

Do not ship sensitive files in app bundles

7. Miscellaneous!!

Hardcoded Secrcets

Plaintext data in SQLite database

Leftovers in Cache files

And, the list goes on...

Things Our Developers (Don't) Do!

By Riddhi Shree Chaurasia

Things Our Developers (Don't) Do!

  • 1,156