Posted on December 2, 2015 by Vladimir Ghilien
Whether a mobile app or a web app, security testing is necessary in order to produce risk free and secure software. There are a lot of various tools available on the market that can help make secure apps and other software products, such as Onegini. There’s much more to skill-set and mind-set both goals. Users that settle with tools only will continue running just tools, but hackers that attack applications have particular ideas, which helps them go round these tools. Therefore, previous experience combined with a mind-set to identify future security holes help in supplying impeccable apps in terms of security.
Below are several essential areas that should inevitably be addressed in order to make a secure application.
This one is the very first entry point to the app. Check if the password’s been changed; the user shouldn’t be capable of logging in using their old password. In case the user isn’t introducing the correct password a few times, their account gets locked. Make sure password regulations are incorporated on all authentication pages, including Registration, ‘change password,’ and ‘forgot password.’ Also, don’t forget verifying the app for Brute Force Attacks.
Sensitive data, including account numbers, credit card numbers, password, etc. should show in encrypted format. Encryption should also include storing of the cookie data. Any transmission of data over the net should obviously be secured. And, yes, HTTPS has to be secured as well.
Make certain that in case the user logs out of the system or user session expires, they aren’t able to navigate the website. Be sure to encrypt the session values in the address bar. The user should be prohibited from directly accessing the unsecured and secured web pages without being logged in.
Handling of Errors
In case any functionality isn’t working, the system shouldn’t show any exceptions or errors from any database, server, or app information. This is since app errors often contain data that is not intended for the user, not to mention the hacker. On the contrary, it should show the custom error page. Appropriate handling of errors is thus critical. Inappropriate execution of this task results in Denial of Service attacks and compromising of system level sensitive data.
This is one of the ways to acquire the important data from databases. Hackers may execute malicious SQL statements on databases to extract, change, and remove records from them. In addition, hackers are capable of bypassing the authentication via SQL statements injection into the password input field during the log in process. SQL injection may as well be executed by manipulating the URL that contains the SQL query input. SQL injections are commonly meant for producing database errors that reveal its sensitive data. This is where error handling comes in the picture.
Mobile apps must have the minimal necessary privileges in order to have access to the database. They shouldn’t build SQL statements directly based on the user input. At first, the input has to be validated.
Cross Site Scripting
Cross Site Scripting, or XSS, enables hackers to insert client side scripts into Internet pages. In case the user input isn’t properly validated, these scripts are to be executed, putting the security at risk. These scripts are able to gain access to another user’s cookies and it even includes the admin user, and these cookies can be used by the hacker to pose as other users.
You must make sure the “View Source Code” feature is disabled and the user can’t see it. Verify user roles and their rights. For instance, the issuer shouldn’t be capable of accessing the admin page.
In programming and computer security, a buffer overflow is an incompatibility where a program overruns boundary of the buffer during data writing to a buffer and overwrites neighboring memory areas. This is a special case of memory safety violation.
Opponents may initiate buffer overflow by supplying inputs that are meant to execute particular code, or alter the program’s behavior patterns. This can lead to unreliable program behavior, including incorrect results, system security breach, a crash, or memory access errors. Therefore, buffer overflows are foundation of most software security holes and, thus, can be exploited in a malicious way.
The source code has to be reviewed and analyzed before code compilation. There are various tools available for this task’s accomplishment. Also, the code may be tested after its compilation. There are also many different tools available that look for security holes in the low-level assembly code. The use fuzzing techniques, as well – they test software by inputting large amounts of random data and waiting for any possible errors.
Over the past few years, things have changed. Hackers don’t attack organizations for ego or pride anymore, but they do it for profit. SSL, Firewalls, etc. don’t mean a thing, if your app lacks security. Thus, don’t trust everything your browser offers you. These days, you have to be on good terms with mobile developers and create a secure application.
Onegini is one of the frontline app development platforms that provides all the security features necessary for safe functioning and use in the current hostile mobile environment, so make sure to visit Onegini.com and check our latest offers.