From hard-coded passwords to data leaks: The risks of sloppy mobile app code

What are sloppy apps?

Sloppy apps are mobile applications with poor coding practices that don’t adhere to essential security guidelines. These sloppy apps may function well on the surface but have vulnerabilities that leave them open to attacks.

Real-World Example: How Sloppy App Code Created a Security Nightmare

The Android device locator app, intended to be a helpful tool for users, instead became a case study of how sloppy app coding practices lead to real-world security risks. By embedding cryptographic keys directly into the app, the developers created a vulnerability that could be exploited to access user passwords through simple network transmissions.

This scenario serves as a cautionary tale for developers: what seems like a minor shortcut can have major consequences when it comes to user security and privacy.

The Risks of Poorly Written Code

The dangers of sloppy apps extend far beyond poor performance—they introduce serious security risks that can compromise both user and corporate data.

Here are some of the key risks:

• Hard-Coded Passwords: Developers may take shortcuts by embedding passwords or cryptographic keys directly into the app’s code, which attackers leverage for fraudulent purposes.
• Unencrypted Data Connections: Transmitting data over an unencrypted connection, such as HTTP, exposes it to vulnerabilities like man-in-the-middle (MitM) attacks, where an attacker can intercept and possibly modify the information.
• Sloppy Use of Permissions: Requesting unnecessary or excessive permissions increases the app’s vulnerability to exploitation. When an app accesses a user’s contacts, camera, or microphone without clear justification, it becomes an appealing target for malicious actors who can exploit those permissions for harmful purposes.
• Misconfigured Manifests on Android: The AndroidManifest.xml file is crucial for defining an app’s behavior and permissions. Misconfigurations within this file can lead to significant security vulnerabilities, highlighting its importance in the app deployment model. To explore the primary risks associated with such manifest misconfigurations, refer to the academic paper for a detailed analysis.
• Unvetted Third-Party Libraries: Relying on third-party libraries without thoroughly vetting them can introduce vulnerabilities into the app. These libraries might have their own —intentional or unintentional— security flaws that enable attackers to leverage.
• Insufficient Testing: Developers may skip crucial testing phases in the rush to release apps. Without the proper tests, apps may be released with vulnerabilities or code weaknesses that can be exploited for data theft or misuse.
• Privacy and Compliance Violations: Sloppy app coding can lead to unintentional leaks of user data, violating privacy laws such as GDPR, CCPA, or HIPAA. Failure to meet these regulatory requirements can result in hefty fines, legal repercussions, and damage to the organization’s reputation.

Sloppy apps lack a secure code development approach, which not only exposes devices to vulnerabilities, but also poses significant risks for organizations with strict security standards. When apps aren’t developed with security in mind, the consequences can be disastrous, particularly for businesses handling sensitive data.

Future-proofing mobile app security

To mitigate sloppy app risks effectively, it’s key to have a solid strategy that covers development practices, security measures during production, and the end-user perspective. While it’s tough to eliminate every code weakness, organizations can enhance their mobile app security by following these steps:

Secure development practices

• Make security a part of your development process: Adding security checks at each stage of the development life cycle helps catch weaknesses and vulnerabilities early on. This means doing static and dynamic testing, following secure coding practices, and having regular code reviews.
• Keep up with app security testing and patching: Regularly testing your app’s security and quickly patching any vulnerabilities is key to staying secure. This involves static and dynamic analysis, plus penetration testing to mimic real-world attacks.
  • Static AST (SAST): This approach analyzes the app’s binary code before compilation to uncover security flaws at the code level. SAST is typically employed early in the development process.
  • Dynamic AST (DAST): DAST assesses the app’s behavior during runtime, simulating attacks to detect vulnerabilities in production.
  • Interactive AST (IAST): IAST inserts agents into the app to analyze both its code and behavior during manual or automated testing. Unlike SAST and DAST, IAST focuses on specific parts of the app, as defined by the tester, rather than the entire code base.

• Vetting third-party libraries and SDKs: With so many third-party components being used in app development, it’s important to check them for security issues and keep an updated list of the approved libraries and SDKs.

In-production security

• Code obfuscation: Using code obfuscation techniques can help shield your app from reverse engineering, making it tougher for attackers to break down the app’s logic and spot vulnerabilities.
• Monitor for malicious activity: Using tools that offer real-time monitoring and alerts can help catch unusual behaviors that might signal a breach or ongoing attack.

End-user security considerations

• Managing user behaviors: Educating users on safe practices, such as recognizing phishing attempts or avoiding sideloading apps, helps mitigate risks associated with human error.
• Ensuring secure access to corporate resources: Enforcing strong authentication mechanisms and access controls ensure only authorized users can access sensitive corporate data and resources.

Integrating security into organizational processes helps companies protect sensitive data, build user trust, and ensure business continuity in a mobile-centric world. Quokka offers two solutions: Q-mast, a comprehensive SAST/DAST/IAST tool that secures mobile apps by scanning their compiled versions, and Q-scout, which provides insights into apps on devices accessing enterprise data, helping teams detect vulnerabilities and enforce proactive security measures.

To learn more about how we can help you secure your mobile apps throughout the development life cycle, contact us.