What is Insecure Communication risk in the OWASP mobile top 10?

Jill D
3 min readMay 19, 2022

--

Over the past few years there has been an exponential increase in the number of experimental apps being developed. Moreover, there has been a rise in the number of mobile phone users globally and with that, the number of apps downloaded have also increased.

However, this means that the security risks associated with mobile apps are also on the rise. This is a concern for both app developers and users. If you are a developer worried about your app’s security, then it is important to acquaint yourself with the OWASP mobile top 10 security risks.

The OWASP top 10 is a list of mobile app security risks curated by experts around the world to make sure that your app is not at risk. It acts as a guide for developers by offering information about the top 10 app risks and how they can be avoided.

The Risks of Insecure Communications

Ranked third in the list of app security risks, insecure communication makes your app quite vulnerable to attacks. It also has an effect on the user experience. Transmission of data to the app and from it usually occurs via a telephonic carrier or through the net. Attackers can intercept this data via the local network that the users are connected to through Wi-Fi that was compromised. They can tap into the connection via cellular towers, routers, or proxy servers. They can also exploit the application with the help of malware. The following are certain risks that may arise due to communications which aren’t secure:

1. Information Theft

Amongst all the aforementioned categories, it is the easiest for adversaries to access information by monitoring the traffic through unsecured or compromised networks. However, it is expected of developers to make sure that all forms of traffic to a mobile are monitored whether it is inbound or outbound. This includes Wi-Fi, Bluetooth, audio, GSM, infrared, SMS, etc.

2. MITM attacks

Most developers are aware of the use of SSL/TLS for the purpose of authentication but when these certificates are not validated properly, it tends to leave a gap for attackers to use MITM (man-in-the-middle) attacks. These attacks allow hackers to look at and even modify the traffic between an application and the server. This allows them to interrupt session IDs.

Given that the certificates are specific to particular domains, they are unavailable for testing servers. Most developers use self-signed certification on production related servers when testing codes. However this can result in attacks as self-signed certificates are equivalent to plaintext connection or connection which is not encrypted.

3. Compromise of the Admin Account

When it comes to MITM attacks, the theft of user data isn’t the biggest problem. The problem arises when insecure communications allow for the theft of data of the administrator’s account. This results in the entirety of the website getting hacked and the loss of data that is sensitive. Such attacks can also result in the theft of encryption keys, private information, details of accounts and passwords.

Also Read: Go-To Guide to Optimizing the Performance of Your React Native App

Conclusion

To avoid these, it is important for developers to watch out for leakages that can take place through the traffic communicated between the app and the server. If you want users to truly trust your app then it is important to make sure that your app is safe against these risks. Code Obfuscation and making sure that sensitive data is not shared through alternate channels will help you in ensuring that your app is safe.

--

--

Jill D
Jill D

Written by Jill D

0 Followers

I am tech freak. I love to read and write about the same. Hence, here i am to share my knowledge with you all!

No responses yet