Things Our Developers (Don't) Do!

Missing Culture of Security programming world

1. Trusting 3rd Party Libraries

The Mechanism


It affected those 3rd-party applications that used "Sign in with Apple" without implementing their own additional security measures


A full account takeover of user accounts was possible on these 3rd-party applications irrespective of whether victim had a valid Apple ID or not


Do not trust external entities

2. Insecure Authorization (API)


Implement server-side authorisation checks to identify and block unauthorised requests from non-privileged user accounts

3. Insecure  Authorization (AWS)

The Mechanism


"Amazon Cognito supports unauthenticated identities. If your application allows customers to use the application without logging in, you can enable access for unauthenticated identities."


Each AWS Cognito identity pool that is configured with an unauthenticated role could potentially be vulnerable to  breaches affecting least privilege principle, allowing unauthorised users access to potentially sensitive and private information stored in AWS services

List of AWS services potentially accessible by unauthenticated users


Always follow the least privilege principle when configuring IAM roles, i.e., each AWS Cognito role should have the smallest set of AWS permissions required to perform respective user actions

4. Improper API Rate Limiting


If you hit a rate limit, it's expected that you back off from making requests and try again later when you're permitted to do so. Failure to do so may result in the banning of your app.


  • X-RateLimit-Reset response header was missing
  • X-RateLimit-Remaining response header was getting reset to higher value unexpectedly
  • As good as not having rate limiting


Implement API rate limiting checks effectively so that brute force attacks could be prevented

5. Improper App Hardening


  1. Attackers attempt to reverse-engineer your mobile app
  2. Attackers try to intercept communication between the server and the app


  • Root and Jailbreak detection
  • Emulator detection
  • Obfuscation
  • Encryption
  • Certificate pinning
  • Tamper prevention
  • etc.

Reverse Engineer

Intercept Calls to SSL Libraries


  1. Disallow app installation if a rooted/jailbroken device is detected
  2. Ensure strong anti-tamper and obfuscation systems are in place

6. Sensitive Files in App Bundle

Extract Bundled Resources


Do not ship sensitive files in app bundles

7. Miscellaneous!!

Hardcoded Secrcets

Plaintext data in SQLite database

Leftovers in Cache files

And, the list goes on...

Things Our Developers (Don't) Do!

By Riddhi Shree Chaurasia

Things Our Developers (Don't) Do!

  • 925