Broken Authorization in Android
Play Android Labs on this vulnerability with SecureFlag!
Description
Failing to treat a mobile application as a web app opens the door to a number of authentication and authorization issues. In fact, in both cases, i.e., authorization and authentication, the user ends up with, in some form or another, the actual source code of the app. So, for example, relying solely on the fact that some particular functionality or piece of information is not available to the unauthenticated user via the regular app interface is not enough; the same functionality must also be secured on the backend.
Impact
Applications affected by these authorization issues enable malicious users to impersonate other users.
Prevention
Just like client-side-only validation is not enough to secure a web application, the checks and the restrictions enforced in the mobile application must be replicated accordingly on the backed server.
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10 2021 - Broken Access Control