Smartphone Security Threats 2020: Improper Session Handling & Broken Cryptography
DigitalBank Vault® provides sophisticated Digital Anti Surveillance technologies: military-grade encryption devices for ultra-secure anonymous communication (voice calls & text messaging) with untraceable file transfers & storage solutions.
To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Like passwords for users, tokens are generated by apps to identify and validate devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential.
According to The Manifest, improper session handling occurs when apps unintentionally share session tokens, for example with malicious actors, allowing them to impersonate legitimate users. Often this is the result of a session that remains open after the user has navigated away from the app or website. For example, if you logged into a company intranet site from your tablet and neglected to log out when you finished the task, by remaining open, a cybercriminal would be free to explore the website and other connected parts of your employer’s network.
Mobile device security threats are both increasing in number and evolving in scope. To protect devices and data, users must understand common threat vectors and prepare for the next generation of malicious activity.
A robust internet security solution should provide comprehensive coverage that extends beyond desktops and laptops, to protect mobile devices, IoT devices, and other internet connection points. Furthermore, your personal network and devices need to be protecting during use when you are not at home.
According to Infosec Institute training materials, broken cryptography can happen when app developers use weak encryption algorithms or fail to properly implement strong encryption. In the first case, developers may use familiar encryption algorithms despite their known vulnerabilities to speed up the app development process. As a result, any motivated attacker can exploit the vulnerabilities to crack passwords and gain access. In the second example, developers use highly secure algorithms, but leave other “back doors” open that limit their effectiveness.
For example, it may not be possible for hackers to crack the passwords, but if developers leave flaws in the code that allow attackers to modify high-level app functions—such as sending or receiving text messages—they may not need passwords to cause problems. Here, the onus is on developers and organizations to enforce encryption standards before apps are deployed.