How Bugs in the API Can Tell You Users’ Credentials

When talking about security, we should always remember that this is a never-ending process of development. During this process, all shots are allowed  - we use hardware, software, and procedural methods. But it looks like the battle between good and evil never stops, that is why knowing your enemy is extremely important.

Applications now become more vulnerable to a variety of threats, as more apps become accessible via networks. The level of security shows how much safety you’re ready to give the users, and hence, how confident they would feel about your work. This is one of the main points if we touch on the reputation of your startup.

Attacks and their consequences

Using your smartphone doesn’t seem a big deal, but the amount of every hour attacks on mobile devices rises each year all over the world. For a developer, this is the field of special attention. Here we work with a so-called “malware” (short for “malicious software”), by which we understand any disruptive software created to damage mobile or computer operations.

There are three areas for developers to take care of:

  • Sensitive data a user manages day after day: credit card numbers, activity logs (for example, calls or calendar), authentication information, and any other private information.
  • User’s identity. This variant is possible in the case when a smartphone is somehow associated with one specific person.This identity information may be useful for an attacker who’s planning to commit other offenses under someone else’s name.
  • Availability of a smartphone. An attacker limits access to a device and makes a smartphone impossible to use.

As for possible consequences, their amount springs up like mushrooms overnight. We consider the most well-spread actions of attackers.

  • As we’ve mentioned before, a user’s identity may be stolen. This threat is especially dangerous in those countries where smartphones have become not just devices for mobile connection. They are used to place orders, open bank accounts or even serve as identity cards.
  • A mobile phone can become an attacker’s zombie machine. It means he will manipulate a smartphone on distance and use it, for example, to send unsolicited messages (spam, put simply).
  • “Battery exhaustion” means that an attacker launches an application on a mobile device which recharges its battery, requiring a lot of energy.
  • Any personal or professional information can be removed from a smartphone. Here we mean either photos and music or professional contacts and notes.
  • An attacker can record conversations on a mobile phone to send them to a third party. It causes privacy and industrial security problems.

To know better which tendencies exist now in the field of mobile security, we’ll consider a spreadsheet from the last Security Report published by Check Point in spring 2016.

Recognizable bot attacks in 2015

As you’ve probably noticed, stealing credentials and sensitive information is a basic interest for attackers and should the main reason for developers’ concern.

What problems cause an incorrect token

This concrete case is about how an incorrect token can help attackers to get info about all users in your application.

First of all, let's see what is an authentication token. It is an "electronic key" which is used to prove user's identity. Here’s how an authentication token works from the user’s perspective:

  • A user opens up your mobile app and is prompted for the username (or email) and password.
  • You send a POST request from your mobile app to your API service with the user’s username or email and password data included.
  • You validate the user credentials and create an access token for the user that expires after a certain period of time.
  • You store this access token on the mobile device, treating it like an API key which lets you access your API service.
  • Once the access token expires and no longer works, you re-prompt users for their username (or email) and password.

Tools which we used for testing this case. (Black box)

  1. IPhone 6 with installed app
  2. Burp Suite

How to find problems in your API in 3 steps

The first step is to create a proxy connection in the mobile phone and a sniffing tool.

The second step is to get and save API calls which a user sends from mobile phone to your server when login. For understanding how the backend generates a token, we log in with two different users’ credential.

Login request from the user number one:

Login request from first user

Login request from the user number two:

Login request from second user

As you can see, we sent two login requests from two different users but with same auth tokens and got them from the server successfully for both requests.

The third step is to get a request from the user profile screen and a response on it from the server.

Request from the profile screen:

Request from profile screen

Response on it:

Response from server

A significant issue is that the password is not encrypted in the response. Generally, for this screen, we don't need the password at all.

Now we know how one can get data for the user’s profile and we know that the server sends user's email and an encrypted password in response.Let's just edit this request and try to get a response with data from the other profile. The last request was with user ID 122, now we will send user ID 121.

Request to get data from for the other profile

Voila! We successfully got a response with the credential from another user’s profile.

Response with credentials from another user's profile

In the end, it may be noted that any attacker can get credentials of all users in this application.

Take care of application security

Feeling safe is one of the basic human needs. And if we live in the mobile era, developers should satisfy this need completely. There are more and more attackers appear all over the world, and methods they use are improved every day. That is why lots of companies now are interested in researching not just past experiences but also future tendencies of possible threats.

It turned out that various types of private information and users’ credentials are in the biggest danger now. Above all, we’re talking about the personality, one of the most important human values. As developers, we create a value but not take it away providing users with a low level of security. The method described in the article is only one among plenty of others, but we hope it could be a reason for you to think about users’ safety even more thoroughly.

If your application connects to a secure server, managing credentials shows your professionalism. Data in foolproof security systems is saved in memory, not on the disk. At the same time, storing usernames and passwords with an access token wouldn’t be a good idea. As your application communicates with lots of people, comfort them with the best you have, including a perfectly built security system.

Tecsynt mobile development company

Read Next

Transferring app project from one development team to another
Transferring app project from one development team to another
How to Build a Secure and Easy Mobile Payment app
How to Build a Secure and Easy Mobile Payment app
7 Mobile Marketing Metrics: What To Choose
7 Mobile Marketing Metrics: What To Choose
Don’t leave us hanging!
Get in Touch