In the previous part of this blog series, we discussed best practices for securing mobile applications, focusing on data storage and privacy requirements. Now, we move forward to another critical aspect of mobile security—authentication and session management.
Most mobile apps connect to a remote service where users log in. Even though most of the work happens on the backend, the Mobile Application Security Verification System (MASVS) has set some basic rules on how sessions and accounts should be managed.
If the app allows users to access a remote service, it must have some form of authentication, like a username and password, at the remote endpoint.
If a mobile app is connected to a remote service, it should use authentication methods like email and password at the remote endpoint. This helps verify the user's identity and prevents unauthorized access. It also makes the connection between the mobile app and the remote service secure.
A mobile app allows users to access a remote service, like viewing personal data, making transactions, or using restricted content, but does not have proper authentication at the endpoint.
Apps without authentication can be easily attacked. Hackers can pretend to be real users and gain access to sensitive data. If authentication is missing at the endpoint, an attacker can reuse valid requests to perform unauthorized actions.
If authentication is only on the client side and not on the remote server, attackers can bypass the app, steal user credentials, or retrieve user data. Attackers can also overload the service, causing a Denial of Service (DoS) attack.
Secure authentication methods like username/password, OAuth, or JWT should be used at remote endpoints. This ensures that users are verified before accessing the service.
A token should be issued once the user logs in. This token should be attached to every request, and the system should check the token each time to verify the user.
When a user logs out, the remote service should end the session by expiring the session token. This prevents session hijacking, where attackers keep using an old session.
A mobile app connected to a remote service does not end the session after the user logs out. The session remains active.
If an attacker gets access to a session token using Cross-Site Scripting (XSS), they can continue using the session even after the user has logged out.
The remote endpoint should invalidate the token when the user logs out. This ensures that the old session cannot be used again. This step protects user data and prevents unauthorized access after logout.
The backend should have a system that limits invalid login attempts. If a user enters the wrong password too many times, their account should be locked. This helps prevent brute-force attacks and improves security.
A mobile app does not block an account even if there are too many failed login attempts.
If there is no limit on failed login attempts, attackers can use automated tools to try different passwords until they break in. This is called a brute-force attack.
If too many login requests are sent at the same time, the server can slow down or crash, causing a Denial of Service (DoS) attack that affects real users.
The remote endpoint should limit the number of login attempts from a single IP address or user account within a short time.
There are two ways to do this:
Access tokens should be designed to expire after a certain time. This ensures that users have to log in again after a while. It also reduces the risk of session hijacking and other security threats.
A mobile app connected to a remote service does not have an auto-logout feature. If a user logs in and forgets to log out, their session remains active forever.
If an attacker steals the token using phishing, XSS, or network eavesdropping, they can use it to access the user’s account.
If the token does not expire, the attacker can continue using the stolen session for a long time without needing to log in again.
The remote endpoint should:
By enforcing strong authentication and session management practices, mobile applications can significantly reduce security risks, protect user data, and prevent unauthorized access. Implementing these measures at the remote endpoint ensures a more secure and resilient mobile experience for users.
...Loading
We have got the answers to your questions.
Join us to stay connected with the global trends and technologies
