Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT Technology

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s (bleepingcomputer.com) 96

Catalin Cimpanu, writing for BleepingComputer: Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. But while mobile devs have learned to filter user input for dangerous strings, some of these devs have not learned their lesson very well.

In a research paper published earlier this year, Abner Mendoza and Guofei Gu, two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section. This regretable situation leaves the users of these mobile applications vulnerable to simple HTTP request parameter injection attacks that could have been easily mitigated if an application's business logic would have been embedded inside its server-side component, where most of these operations belong.

This discussion has been archived. No new comments can be posted.

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s

Comments Filter:
  • These are idiot developers.
    • by gweihir ( 88907 )

      Well, since it is a growing body of incompetent developers, it is at least a growing pain. The ever more complicated field of half-assed "frameworks" and intransparent mechanisms used makes things worse. The sheer amount of over-complicated, non-intuitive, "magic" technology used in the web and app fields is absolutely staggering and will never be secure.

    • If there's one constant in software development, it's that nobody learns from the past. It's not a new problem either.

  • by Jason Levine ( 196982 ) on Monday June 04, 2018 @12:18PM (#56726020) Homepage

    There's nothing wrong with Client Side validation. It lets you prompt the user to correct their mistakes. Of course, this client side validation shouldn't be trusted when the data gets to the server-side. You need to check it on the server side also. Client Side verification has it's place in any good web application.

    • by ctilsie242 ( 4841247 ) on Monday June 04, 2018 @12:30PM (#56726106)

      You need both. Client side is for sanity checking, just so the obvious security issues don't make it to the server and take up server resources (bandwidth, etc.). For sense of security, everything needs to be checked at the server side, as -nothing- should be trusted. Sorry, Bobby Tables.

    • by gweihir ( 88907 ) on Monday June 04, 2018 @01:07PM (#56726344)

      Client-side: Usability.
      Server-side: Security.

  • I don't think Web developers necessarily learned the lesson very well. Javascript-heavy (client-side JS) web apps with insecure RESTful backend also suffer from the same issues. I'm seeing a lot of those recently.

    Hasn't Panera Bread just recently [slashdot.org] suffer from a similar issue?
  • by llamalad ( 12917 ) on Monday June 04, 2018 @12:23PM (#56726054)

    It's funny how the media speaks of "software devs" like they're a cohesive body of professionals.

    In fact it's largely a bunch of people straight out of a coding bootcamp in over their heads with titles like "senior full stack developer" who think they're 10x rockstars because they can code Hello World.

    Managers love these folks because they work for peanuts + inflated job title. Need someone to cut corners to meet a deadline? Or to take some unethical business idea and build it into software? These are your guys.

    Find me someone who's worked his ass off getting licensed to practice their profession who's willing to put their livelihood, license, and professional liability insurance premiums on the line to save a couple bucks here and there.

    It's time for software to mature like other niches have- plumbers, electricians, structural engineering, for example. You DIY your projects around the house until you burn it down or the building inspector condemns it, and you should be able to do the same with your own computing hardware until you let the blue smoke out of it or it simply grinds to a halt under a malware infestation. But if folks are going to build apps for money they should be certified and accountable for ensuring their work meets reasonable standards.

    • License engineers have the power to tell there boss NO THAT IS UNSAFE.

    • Licensing drives up salaries it will never happen.
    • Find me someone who's worked his ass off getting licensed to practice their profession who's willing to put their livelihood, license, and professional liability insurance premiums on the line to save a couple bucks here and there.

      Doctors and Lawyers exist. And they go through extremely lengthy and difficult licensing/education regimes. And they provide plenty of examples of people who did exactly what you claim they would not.

    • That's what ratings are for - your app store is more effective than any state licensing board. Though to be fair, liability should not be able to be waived with an EULA.

      Anyway, software design isn't at all like structural engineering. Gravity is consistent. Winds have a 100-year maximum, and you can build a seismic safe building anywhere if you want to pay for it and avoid outlier risks.

      With software, you have a building. The earth may suddenly turn to quicksand, your building may be attacked by dinosa

      • The vast majority of ratings are given by people even more clueless than the developers. It's basically the same problem as elections in a democracy - they've devolved into a popularity contest, where the winner is simply who can manipulate their public image via the media and advertisements, to most appeal to enough voters to get elected.

        What's needed is some unbiased pool of experts who can evaluate software, and give it their stamp of approval that it's passed attacks along known vectors like SQL que
  • by Anonymous Coward

    The singularity AI will fix all that... BIGLY! Just dont try to buy a cake.. its against our beliefs to sell YOU anything.... FREEDUMBS 4 ALL!

  • people. Mobile apps are now the area inexperienced people will start writing their first public code. Before that it was web design and before that it was writing Windows desktop applications.

    Some of those people will then grow up and most likely leave that field, just as the mobile app environments are as shitty as the web design environments or the Windows desktop application ones.

  • This presumes that web devs don't make these mistakes anymore.

    They make this sort of mistake all the time. The difference is that any big, recognizable name that failed to fix this ultimately failed for one reason or another. Look at smaller sites or internal services at companies that are home grown, they are still chock full of this stuff.

    • It also presumes that the mobile devs are writing the backends. Otherwise how is it the mobile dev's fault that the backend isn't validating data?

  • by asylumx ( 881307 ) on Monday June 04, 2018 @12:47PM (#56726210)
    Newsflash, webdevs still make these same mistakes. Often times there is little or no distinction between a "web dev" and a "mobile dev" in reality.
    • by gweihir ( 88907 )

      Still the same incompetents that have no business coding anything connected to the Internet.

  • by gweihir ( 88907 ) on Monday June 04, 2018 @01:00PM (#56726298)

    More and more coders. Still the same (very small) number of people that can learn to code well. What do you expect? And no, coding well is not something everybody can learn. Might as well claim that anybody can be a PhD level Mathematician or a competent brain surgeon. Not so, not so in the least. And that utterly mistaken and completely unfounded belief is at the root of the problem.

  • This is absolutely true. The easiest way to see this is to connect your phone through a captive portal which injects content (such as ads) into web pages. Then watch as they start showing up in apps instead! And if you think this is just bottom-tier, b00by devs, think again. For the first two years or so of Instagram existing, this was an issue. I only discovered it on accident one time when using in-flight WiFi, and had the airline's advertising at the top of my Instagram feed inside of their Android app.

  • Stop forcing mobile users to download your "app" in order to use services and product (VENMO!).

  • ...inside its server-side component, where most of these operations belong.

    Particularly with mobile, it often makes sense to validate both places. Avoid a network call if you can.

  • two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section.

    Maybe they want their app to be responsive and not spin waiting for the server to respond with "invalid input".

    • Maybe they should be validating in both places. That way you get responsiveness on the client and security on the server.

  • Web developers are still doing a bad job. They fail to filter out unnecessary characters and reject perfectly reasonable input. Telephone numbers are a classic web dev fail. All of these should be valid:
    (508) 999-1010
    1-508-999-1010
    5089991010
    508-999-1010
    and more.

    Credit card numbers, dates and others are also major fail points.

  • Implementing secure protocols takes development time and knowledge. Time equals money: either more developers are needed or more development time (i.e. the shiny new product/version comes out the door later).

    When eye candy sells better than some footnote about security in an advert, then guess which qualifications will be in demand from developers and which parts of a project will get more development resources allocated (time, qualified developers)?

    OTOH the costs of even a major security blunder is a bit o

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...