Questions tagged [mobile-app]

28 questions
22
votes
7 answers

How to secure a mobile app against its user?

I have created a mobile application that monitors the accelerometer activity and based on that it rewards the user if a specific pattern is observed. How I can secure the application against the user itself who may try to hack the application to…
Noureddine
  • 339
  • 2
  • 6
5
votes
1 answer

What questions are useful to scope a mobile app pen test?

When arranging a pen test it's common practice to ask the client a set of questions, and use the answers either as the basis for further discussions, or to directly provide a test plan and quotation. For a mobile app specifically, what questions are…
paj28
  • 32,736
  • 8
  • 92
  • 130
5
votes
2 answers

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is sending the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS…
4
votes
4 answers

Is 2FA a false sense of extra security on a mobile phone?

I understand that 2FA increases security if you are using two different devices, for instance a computer and a mobile phone. I fail to understand how these security measurements help if you are doing everything on your mobile device. Imagine if I…
3
votes
1 answer

MSTG-ARCH-7: All security controls have a centralized implementation

In the OWASP Mobile Application Security Checklist there is a requirement MSTG-ARCH-7 which reads: "All security controls have a centralized implementation". Now I'm struggling a bit by what is meant with "centralized implementation" in this…
3
votes
0 answers

Deauthorization Bug in messenger application - How serious is this?

My question refers to a behavior on a production system with more than 100 million chat users. Some time ago I changed my account password and removed all devices connected to my account. The next day I noticed that during the night I still received…
2
votes
0 answers

Security of in-app Forgot Password workflow in Xamarin (Mobile App) without using a website

I decided to implement "forgotten password" functionality, without having to create a website just for that. The usual workflow that I've seen for any app is: User requests password reset Link is sent to their email with a token embedded in…
Varin
  • 121
  • 3
1
vote
1 answer

Mobile App Security for Spotify

This is a little bit crazy. A long time ago, I created a Spotify account using Facebook credentials. A few years ago, I stopped my premium subscription, deleted Spotify from all devices and didn't use it again. 3 years ago, I bought a used…
Ghassan Karwchan
  • 359
  • 1
  • 3
  • 6
1
vote
1 answer

How to deal with targeted attacks from publisher when verifying the integrity of native applications and validating their source code?

I am trying to reason about how native apps can avoid the problems web apps have in dealing with the "Browser Cryptography Chicken and Egg" problem, which has been discussed numerous times on this site, perhaps most notably here: Solution to the…
1
vote
1 answer

Protecting a PWA authentication token on a public kiosk device

I have a use case where I need a factory-reset tablet device to install and run a simple Progressive Web Application (PWA). The tablet will be mounted on a wall inside a company building that may host unaccompanied external visitors from time to…
sammy34
  • 113
  • 3
1
vote
1 answer

Is certificate pinning enough to protect client (native mobile app) - server communication?

My use case is the following: I want to create an app with React Native that I can deploy on both iOS and Android. The app should consume an RSS feed (https call) from the server but there is no need to have authorization in place. The output does…
dierre
  • 295
  • 1
  • 8
1
vote
0 answers

Insecure Binary protection iOS Pentest Report

Thirdparty pentest company reported their findings in our iOS app. In the report explanation for this vulnerability is Apple provides default encryption for applications; however, the encryption could easily be bypassed by using publicly available…
titus
  • 111
  • 6
0
votes
1 answer

Are there IoT devices that send data home despite blocked internet connection (with the detour via bluetooth on the phone)?

I am increasingly buying IoT aka smart devices for my household. All these devices need to be connected to WLAN and proprietary app (via bluetooth on iPhone). I do this initial step, but then block the internet access for the IoT device in OpenWrt…
Sybil
  • 1,435
  • 2
  • 15
  • 29
0
votes
1 answer

If software use encryption to protect one from ISP providers and other parties from snooping, how does this apply to browser software, esp. on mobile?

I believe the title says it all. As an example, let's say I use the Brave browser on a phone. From my understanding, all legitimate apps or computer software that connect to the Internet have some form of encryption to prevent other parties from…
Kyrill
  • 1
  • 1
0
votes
0 answers

How to Scan Firebase Database?

I have the APK of an application and analyzed it using MobSF static analysis. It says the application talks with Firebase Database and provides a URL. Obviously, the URL is not accessible. I am new to this so trying to find tools from GitHub. Are…
1
2