Broken Authentication in Android
Play Android Labs on this vulnerability with SecureFlag!
Description
Failing to treat a mobile application as a web app opens the door to a number of authentication and authorization issues. In fact, in both cases, i.e., authorization and authentication, the user ends up with, in some form or another, the actual source code of the app. So, for example, relying solely on the fact that some particular functionality or piece of information is not available to the unauthenticated user via the regular app interface is not enough; the same functionality must also be secured on the backend.
Impact
Applications affected by these authentication issues enable malicious users to reach the unsecured server-side resources and functionalities.
Prevention
Just like client-side-only validation is not enough to secure a web application, the checks and the restrictions enforced in the mobile application must be replicated accordingly on the backed server.
References
OWASP Top 10 Mobile - Insecure Authentication
CWE - CWE-287: Improper Authentication
OWASP - A07:2021 - Identification and Authentication Failures