Broken Authentication in iOS
Play iOS Labs on this vulnerability with SecureFlag!
Description
Failing to treat a mobile application as a web app opens the door to a number of authentication and authorization issues. In fact, in both cases, the user ends up with the actual source code of the app in some form or another. Relying solely on the fact that some particular functionality or piece of information is not available to the unauthenticated user via the regular app interface is not enough; the same functionality must also be secured on the backend.
Applications affected by these authentication issues enable malicious users to reach the unsecured server-side resources and functionalities.
Moreover, the broken authentication exposure might concern the local part of the authentication, specifically the piece of code responsible for trusting the actual human user of the device. Adequate protection ensures that, even in the event of the physical seizure of a victim’s device, the sensitive data and features remain safe, no matter how technologically advanced the attacker might be.
Vulnerable example
It’s easy to misuse the inherently secure biometrics API provided by the framework. While there several ways to obtain the same result, some are more susceptible to instrumentation, meaning that a motivated attacker, in possession of a victim’s phone, will be able to intercept the call to the framework function responsible for guarding the sensitive piece of code (evaluatePolicy), and ultimately bypass it.
Prevention
Just like client-side-only validation is not enough to secure a web application, the checks and the restrictions enforced in the mobile application must be replicated accordingly on the backed server.
References
OWASP Top 10 Mobile - Insecure Authentication
CWE - CWE-287: Improper Authentication
OWASP - A07:2021 - Identification and Authentication Failures