Things Our Developers (Don't) Do!
Missing Culture of Security
...in programming world
1. Trusting 3rd Party Libraries
The Mechanism
Victim?
It affected those 3rd-party applications that used "Sign in with Apple" without implementing their own additional security measures
Damage?
A full account takeover of user accounts was possible on these 3rd-party applications irrespective of whether victim had a valid Apple ID or not
Learning!
Do not trust external entities
2. Insecure Authorization (API)
Learning!
Implement server-side authorisation checks to identify and block unauthorised requests from non-privileged user accounts
3. Insecure Authorization (AWS)
The Mechanism
Feature...
"Amazon Cognito supports unauthenticated identities. If your application allows customers to use the application without logging in, you can enable access for unauthenticated identities."
Flaw?
Each AWS Cognito identity pool that is configured with an unauthenticated role could potentially be vulnerable to breaches affecting least privilege principle, allowing unauthorised users access to potentially sensitive and private information stored in AWS services
List of AWS services potentially accessible by unauthenticated users
Learning!
Always follow the least privilege principle when configuring IAM roles, i.e., each AWS Cognito role should have the smallest set of AWS permissions required to perform respective user actions
4. Improper API Rate Limiting
Expectation?
If you hit a rate limit, it's expected that you back off from making requests and try again later when you're permitted to do so. Failure to do so may result in the banning of your app.
Reality!
-
X-RateLimit-Reset response header was missing
-
X-RateLimit-Remaining response header was getting reset to higher value unexpectedly
- As good as not having rate limiting
Learning!
Implement API rate limiting checks effectively so that brute force attacks could be prevented
5. Improper App Hardening
Attack?
- Attackers attempt to reverse-engineer your mobile app
- Attackers try to intercept communication between the server and the app
Protection!
- Root and Jailbreak detection
- Emulator detection
- Obfuscation
- Encryption
- Certificate pinning
- Tamper prevention
- etc.
Reverse Engineer
Intercept Calls to SSL Libraries
Learning!
- Disallow app installation if a rooted/jailbroken device is detected
- Ensure strong anti-tamper and obfuscation systems are in place
6. Sensitive Files in App Bundle
Extract Bundled Resources
Learning!
Do not ship sensitive files in app bundles
7. Miscellaneous!!
Hardcoded Secrcets
Plaintext data in SQLite database
Leftovers in Cache files
And, the list goes on...
Things Our Developers (Don't) Do!
By Riddhi Shree Chaurasia
Things Our Developers (Don't) Do!
- 1,156