M1: Improper Credential Usage (2024)
OWASP Risk Analysis
Hardcoded credentials, insecure API key storage, and improper use of biometric or token-based authentication. Attackers extract secrets from app binaries or intercept credentials in transit.
Risk Assessment
Threat Agents
Threat agents exploit hardcoded credentials and improper credential handling in mobile applications through automated attacks using publicly available or custom-built tools.
Attack Vectors
Exploitability
EASY
Adversaries exploit hardcoded credentials and improperly validated or stored credentials to gain unauthorized access to sensitive functionalities or bypass legitimate access requirements.
Security Weakness
Prevalence
COMMON
Detectability
EASY
Poor credential management such as hardcoded credentials and improper handling creates severe security weaknesses. Security testing should identify these issues by locating hardcoded credentials in source code or configuration files.
Technical Impact
Impact
SEVERE
Unauthorized users might gain access to sensitive information or functionality within the mobile app or backend systems, potentially leading to data breaches, loss of user privacy, fraudulent activity, and access to administrative functionality.
Business Impact
Impact
SEVERE
Reputation damage, information theft, fraud, and unauthorized access to data.
Am I Vulnerable?
- Hardcoded Credentials: If the mobile app contains hardcoded credentials within the app's source code or any configuration files, this is a clear indicator of vulnerability.
- Insecure Credential Transmission: If credentials are transmitted without encryption or through insecure channels, this could indicate a vulnerability.
- Insecure Credential Storage: If the mobile app stores user credentials on the device in an insecure manner, this could represent a vulnerability.
- Weak User Authentication: If user authentication relies on weak protocols or allows for easy bypassing, this could be a sign of vulnerability.
How Do I Prevent It?
- Avoid Using Hardcoded Credentials: Hardcoded credentials can be easily discovered by attackers and provide an easy access point for unauthorized users. Always avoid using hardcoded credentials in your mobile app's code or configuration files.
- Properly Handle User Credentials: User credentials should always be stored, transmitted, and authenticated securely. Encrypt credentials during transmission. Do not store user credentials on the device. Instead, consider using secure, revocable access tokens. Implement strong user authentication protocols. Regularly update and rotate any used API keys or tokens.
Example Attack Scenarios
- Hardcoded Credentials: An attacker discovers hardcoded credentials within the mobile app's source code. They use these credentials to gain unauthorized access to sensitive functionality within the app or backend systems.
- Insecure Credential Transmission: An attacker intercepts insecurely transmitted credentials between the mobile app and its backend systems. They use these intercepted credentials to impersonate a legitimate user and gain unauthorized access.
- Insecure Credential Storage: An attacker gains physical access to a user's device and extracts stored credentials from the mobile app. The attacker uses these credentials to gain unauthorized access to the user's account.
Based on OWASP Mobile Top 10 (2024) — the industry standard for mobile app security risks.