The document discusses several common mobile application security risks including lack of binary protection, weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, and improper session handling. It provides recommendations to address each of these risks such as using obfuscation, secure data storage techniques, TLS, strong authentication, secure cryptography, input validation, and secure session management.

1. E R Y K B U D I P R A T A M A , C E H
C Y B E R S E C U R I T Y C O N S U L T A N T
E R N S T & Y O U N G ( E Y )
Mobile Application Security

2. Application Security Risk

8. Lack of Binary Protection
 Obfuscation
 Code modification
Recommendations :
• Obfuscator (ProGuard,
DexGuard)
• Jailbreak Detection
Controls
• Checksum Controls
• Debugger Detection
Controls
• Renewing Secret Tokens

10. Weak Server Side Controls
 Logic flaws
 Weak authentication
 Weak Session Management
 Insecure web server configuration
 Injection (SQL, XSS, Command)
 Local and Remote Files Control
 Input validation for API

11. Insecure Data Storage
 SQLite databases
 Log Files
 XML Data Stores or
Manifest Files
 Binary data stores
 Cookie stores
 SD Card
Recommendations:
• Ensure any shared
preferences properties
are NOT
MODE_WORLD_READ
ABLE
• Avoid exclusively relying
upon hardcoded
encryption or decryption
keys

12. Insufficient Transport Layer Protection
Recommendations:
 Use TLS
 Certificate Pinning
 Strong cipher suite
 Usage of Secure flag for
Session Cookies
 Usage of HTTP Strict
Transport Security
(HSTS)
• Lack of Certificate
Inspection
• Weak Handshake
Negotiation (cipher suite)
• Privacy Information
Leakage (via non secure
channel)

13. Unintended Data Leakage
 API or encryption keys
 Passwords
 Internal company
information
 Debugging or maintenance
information
Recommendations:
 Store sensitive application
data server-side
 Avoid hardcoding
information in the
application

14. Poor Authorization and Authentication
Recommendations:
 Unique identifiers as
additional (not only) factors
 Differentiate client-side
passcode vs. server
authentication
 Hardware-independent
identifiers (ie. Not IMSI,
serial, etc.)
 Multi-factor authentication,
depending on risk
 Define & enforce password
length, strength & uniqueness
 No password, just unique ID
 Plain text password
 Using GET method

15. Broken Cryptography
 Hardcoded key
 Insecure encryption algorithm
 RC2
 MD4
 MD5
 SHA1

16. Client Side Injection
 SQL Injection
 Local File Inclusion
 Javascript Injection
(XSS)
Recommendations:
 Using parameterized
queries
 Verify that JavaScript and
Plugin support is disabled
for any WebViews
 Verify that File System
Access is disabled for any
WebViews

17. Improper Session Handling
 Failure to Invalidate Sessions on the Backend
 Lack of Adequate Timeout Protection
 Failure to Properly Rotate Cookies
 Insecure Token Creation

18. Thank You