4

I'm developing a mobile app for iOS and Android that has, due to specs that are given by management, some security flaws. However, I can't quite explain in concrete business speak why the specs are not secure, and thus I can't convince them to change their requirements.

Some background; when we implement user registration, there are two options to do so: fill in a mobile number (and trigger an SMS verification) or connect with Facebook. The backend is a RESTful API.

The first flaw is that when we connect with Facebook, they still want the user to create a username and password in the app. The only thing they want to use the Facebook login for is to auto-fill some of the data in the registration form, like the username. This means that the Facebook login is essentially useless since the backend never sees a successful Facebook login token. It still boils down to form-submitted data.

The second flaw is that when we register using our mobile number, they want the password to be filled in after the SMS verification step. So the flow is:

  1. register with a mobile number,
  2. get an SMS verification
  3. supply the password. This means the person who registered their mobile number is not guaranteed to be the one who is also supplying the password.

Of course, user login is what you would expect - fill out the username/mobile number and password. Always, even when they registered via Facebook.

My question is, what are some attacks that a hacker could do to take advantage of a registration setup such as this? I intend to use this info to make a more concrete case of why the registration flow should change.

markovchain
  • 141
  • 3

1 Answers1

3

What are some attacks that a hacker could do to take advantage of a registration setup such as this?

Although this will most likely not help you in your case to change the registration flow, the first thing that comes to mind is to abuse the SMS function. Since only a username and a phone number are required this can be used to:

  1. Get the company out of SMS credits (depending on the setup)
  2. Get the company a bad reputation for sending random text messages (in case the company name is used in the SMS message).
  3. In a replay attack this could lead to unnecessary costs.
  4. The company registration flow can be used as a "prank platform".

A better solution would be to have a user enter a username, an email address and get the phone number programmatically (https://stackoverflow.com/questions/2480288/programmatically-obtain-the-phone-number-of-the-android-phone) from within the mobile application.

An email is sent to the given email address with a verification link. When the user clicks the verification link from the email, a password should be set. Make sure that once the password has been set, the registration link is invalidated.

Additionally, the registration link should have a specific life time, e.g. it should expire after X amount of time.

Jeroen
  • 5,783
  • 2
  • 18
  • 26