Skip to main content

Security Mechanisms vs. Application Logic: Conclusions from Mobile App Penetration Tests

Illustration of Security Mechanisms vs. Application Logic: Conclusions from Mobile App Penetration Tests
Martin Matyja

Introduction

In our daily work, we often come across mobile applications, primarily for Android and iOS platforms. This article describes an example that demonstrates how popular security mechanisms should not replace essential application logic.

Vulnerability example

During a recent audit, we discovered a security gap that allowed a bypass of the child mode restrictions within a mobile app. Although the app lacked an option to exit child mode (which protects content, applications, or resources designated by the parent), it was possible to disable the child module due to a flaw in the application’s logic. This was possible because both the child and parent modes used the same API endpoints, and the assigned access data (JWT tokens) did not distinguish between the two modes.

As a result, an authenticated child session could disable monitoring mode with a single request to the server, which would log out device instances, disable the child mechanism, and remove parental controls.

Below is an example request that successfully removes the child mode functionality (using the AccessibilityService API on the Android platform):

Child mode bypass request

The device ID in the URL specifies the paired child and parent mode instances, and the JWT token in the authorization header is issued specifically for the child mode instance. Subsequent API requests then receive a response indicating the absence of an active child mode, prompting the application to disable current restrictions and log out.

Security mechanisms and limitations

It is clear that the implemented certificate pinning mechanism, which protects the communication channel and the mechanisms responsible for detecting:

  • rooted/jailbroken devices
  • emulated devices
  • app file integrity manipulation
  • runtime integrity manipulation

However, these protections are not 100% effective due to one simple fact: the user has full control over the device, both from user space and kernel space. They may be able to instrument the application process in relation to the device’s kernel or even influence the kernel’s behavior directly. For example, using eBPF (supported by current Android kernels), they could create a specific function hook at the kernel level to bypass mechanisms associated with cryptographic operations.

The effectiveness of these security mechanisms lies in making it extremely difficult for users to bypass security effectively. Therefore, an effective mechanism is complex, does not rely on widely accepted implementations, and monitors a comprehensive range of platform parameters rather than just common indicators, such as the presence of specific executables in the file system. Security mechanisms are mandatory in modern mobile applications, but they should not be the sole reliance for protecting an app. A second critical component is the application logic itself and the logic of the API with which the application communicates.

To address this in our security audits, we recommend an ideal solution: having two versions of the application. The first version includes standard security mechanisms, such as rooted/jailbroken device detection and certificate pinning. The second version lacks any implemented security features, allowing us to focus on testing application and API logic itself.

This approach not only focuses the testing on the application itself but also provides a clear view of the app’s existing security mechanisms. This enables us to thoroughly evaluate the level of implemented security mechanisms, allowing us to provide recommendations to enhance their effectiveness.

Other Insights

Illustration of Accessing Internal Network by WiFi Hacking - 2024 Pentest Case

Accessing Internal Network by WiFi Hacking - 2024 Pentest Case

Aleksander Wojdyła

During the last penetration test, I performed an Evil Twin attack, which involves setting up a fake access point with the same name as the legitimate one. Due to improper configuration of endpoint devices (e.g., computers, phones, tablets), users could accept an incorrect (fake, generated by the auditor) certificate identifying the network. This led to a successful capture of the authentication segment of the communication. Subsequently, the auditor subjected the captured data to brute-force attacks, resulting in the retrieval of credentials.

READ article
Illustration of From SOQL Query to Data Breach - Lessons from a Real-World Pentest

From SOQL Query to Data Breach - Lessons from a Real-World Pentest

Adam Borczyk

During one of security audits of a web application, I uncovered an interesting vulnerability: the exposure of an endpoint that allows users to perform arbitrary Salesforce Object Query Language (SOQL) queries. Such functionality, when available to unauthorized users or misconfigured, poses significant security risk, especially if Row-Level Security (RLS) permissions are not properly set. In this article I will analyze technical aspects of this vulnerability, the potential risks, and steps to mitigate such issues.

READ article
Illustration of Bypassing Host Validation: Real Pentest Case of Sensitive Data Exposure

Bypassing Host Validation: Real Pentest Case of Sensitive Data Exposure

MATEUSZ Kowalczyk

During one of penetration tests, I discovered a vulnerability that allowed us to bypass a host whitelist, leading to the exposure of sensitive data. This behavior could let attackers to exfiltrate sensitive information, such as password reset tokens, to external hosts they control. The severity of this vulnerability is significant, as it opens up further attack vectors that could potentially compromise the application and its users.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us