Security Issues in Mobile Applications: A Study on Server Communication

On the last day of August, here’s a paper from the Software Engineering Conference ESEM 2021, which investigates an interesting issue: many mobile applications (apps) may have the same or similar security problems as general web applications during communication with their dedicated servers. The authors tested and analyzed a large number of URLs extracted from Android applications and found that over 69% of the servers of Android applications had three or more security issues. Among these security problems, unprotected communication and misconfiguration were the most common. Specifically, the authors analyzed the prevalence of six types of security issues on mobile application servers and investigated the potential consequences and manifestations of these security issues from a security perspective. Through two data collections spaced 14 months apart, they analyzed the correlation between security issues and server maintenance. The research results indicate that servers using the JSON format have issues 1.5 times more than those not using JSON format, while closed-source applications have issues 1.6 times more than open-source applications. Among these security issues, source code and version information leaks, along with lack of updates, pose significant security risks to the servers.

With the development of web services, the number of web-based mobile applications continues to grow, and the security of communication between mobile applications and servers is getting more attention. Many security support tools for mobile applications and server-side development have emerged. However, these tools are often used during the development process to protect the security of mobile applications at the code level, while some existing server-side API configuration security issues have not received enough attention. Previous work has summarized eight potential security issues that mobile application server-side APIs may have; therefore, the authors mainly address the following two questions:

1. How prevalent are these server-side security issues in mobile applications?

2. What is the correlation between these security issues and server maintenance?

During the research process, the authors mainly analyzed six of the eight security issues and summarized the characteristics of these security issues:

1. Insecure transport channel

   Using the HTTP protocol, which provides no security protection, instead of the more secure HTTPS protocol, where everything is transmitted in plaintext and no information is encrypted.

   Characteristics: The URL starts with http://.

2. Disclosure of source code

   Errors on the server side are not handled properly, and error messages are returned directly to the mobile application. These error messages may contain the call stack where the error occurred, potentially leaking method names, source code file names, and line numbers, and may even include snippets of the erroneous code.

   Characteristics: The HTTP response body contains the call stack or code snippets where the error occurred.

3. Disclosure of version information

   Some HTTP headers returned from the server (such as X-Powered-By) may leak version information about the program. For older versions of the program, attackers may directly exploit these version details to find corresponding vulnerabilities for attacks.

   Characteristics: The HTTP response headers contain one of the following fields:engine, server, x-aspnet-version, x-powered-by.

4. Lack of access control

   Access to sensitive data and sensitive operations is not strictly controlled, using authentication methods that are easy for attackers to forge or not implementing any authorization checks at all, thereby providing all data directly to visitors.

   Characteristics: The server does not return a 401 Unauthorized or 403 Forbidden but allows access to data without providing any credentials.

5. Missing HTTPS redirects

   Although the server supports the encrypted HTTPS protocol, it does not redirect HTTP requests to HTTPS. For older versions of applications that initiate HTTP requests, they are processed using the unprotected HTTP protocol.

   Characteristics: HTTP requests are not redirected to HTTPS via HTTP 3xx but continue to use HTTP.

6. Missing HSTS

   HTTP Strict Transport Security (HSTS) provides protection against downgrade attacks from HTTPS to HTTP. If HSTS is not configured, users may be vulnerable to attacks such as MITM (man-in-the-middle), redirecting user requests to HTTP and attacking them.

   Characteristics: The HTTP response headers do not contain the Strict-Transport-Security field.

EMPIRICAL STUDY

Dataset

The authors collected data twice in June 2019 and August 2020 to form the experimental dataset and developed tools for automated extraction of URLs and corresponding HTTP requests present in Android applications through data analysis.

The dataset includes 303 open-source applications and 3073 closed-source applications, with closed-source applications sourced from Google Play and open-source applications from F-Droid. These applications come from 48 different categories in Google Play, and the vast majority have ratings of 3.0 and above (out of 5.0), with most applications having download counts between 100 and 1000, and the last update time for most applications was in 2018 (data collected in 2019).

The distribution of ratings, download counts, and last update times for these mobile applications is shown in the figure below:

Ultimately, a total of 9716 URLs were extracted from these mobile applications, with 1230 URLs extracted from open-source applications and 8486 URLs from closed-source applications. Among these URLs, only a small portion of requests used the now-common JSON format, while most adopted the traditional XML format or plain text format. In the URLs of open-source applications, only 59 URLs used the JSON format, while in closed-source applications, 489 URLs made requests using the JSON format.

The next section conducts statistical analysis based on whether the applications are open-source and whether they use the JSON format.

Prevalence

This section conducts statistical analysis of the dataset to answer the first question posed in the Introduction: How prevalent are these server-side security issues in mobile applications?

The authors first categorized and counted the proportion of different applications containing each security issue. The results show that for open-source applications, about half of the non-JSON format server-side APIs used unprotected transport channels, while only about 10% of JSON format APIs had this issue; for closed-source applications, the problem was even more severe, with about 71% of non-JSON format APIs and about 50% of JSON format APIs having this issue.

The statistical results for other security issues are shown in the figure below:

Subsequently, the authors analyzed the APIs with source code leakage issues and counted the application frameworks they used. The results showed that five application frameworks were identified: ASP(.net), PHP, CherryPy, Java, NodeJS. For closed-source applications, the vast majority of APIs with source code leakage issues used the ASP(.net) framework, while only six APIs in open-source applications had source code leakage issues, caused by ASP(.net) or CherryPy.

For APIs with version information leakage issues, the authors conducted statistical analysis from three aspects: operating system information, service information, and response headers or bodies that caused version information leakage. The operating system with the most leaks was Ubuntu, while the service with the most leaks was Apache. The version information leakage issues present in response headers were caused by fields such as Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version, while version leakage issues present in response bodies were caused by services such as Apache, Nginx, Apache H3, OpenResty, CherryPy.

For the lack of access control issue, only 53 closed-source non-JSON format APIs and 28 open-source non-JSON format APIs had this issue, while no JSON format APIs had this issue.

The vast majority of the missing HTTPS redirect issues occurred in closed-source non-JSON format APIs, with 48 closed-source non-JSON format APIs and 15 open-source non-JSON format APIs having HTTPS to HTTP downgrade risks.

For the HSTS issue, the authors conducted statistics on various incorrect configurations, and most URLs had improper HSTS configurations, with the statistical results shown in the figure below:

Based on the above statistical results, the authors concluded that most security issues exist in over 25% of Android applications, regardless of whether the applications are open-source or closed-source, using JSON format or not, these prevalent security issues may pose significant threats to the applications.

Maintenance of Server Infrastructure

The authors investigated server maintenance operations and analyzed their correlation with security issues to answer the second question: What is the correlation between these security issues and server maintenance? The authors examined the upgrade status of server infrastructure over the 14 months between the two data collections, and this upgrade status was obtained by comparing the version number differences in the Server response headers. Therefore, the statistical data in this section only includes 309 open-source applications and 3006 closed-source applications.

When analyzing the first hundred APIs, the authors summarized the following eight different situations:

1. The application has no updates.

2. The application has downgraded, i.e., the version number decreased.

3. The application has upgraded, i.e., the version number increased.

4. The version information leakage issue has been fixed, and specific version numbers cannot be obtained.

5. The environment has changed, i.e., the application used has been replaced.

6. Cloudflare protection was used, and version information was replaced by Cloudflare.

7. Version information was not received in the first test, but was received in the second test.

8. Version information was received in the first test, but not in the second test.

The statistical results for the above eight situations are shown in the figure below:

Statistics show that within 14 months, the vast majority of applications did not upgrade, and a considerable number of applications had their environment changed. Only a small number (103) of applications completely resolved the version information leakage issue, and only a few (104) applications used Cloudflare protection, which indirectly resolved the version information leakage issue.

Ultimately, after statistics, a relationship was established between server maintenance operations and the number of security issues contained in the server, as shown in the figure below:

From the above results, it can be seen that when the server contains five types of security issues, the proportion of maintenance is the lowest. In contrast, when there is one security issue, there are no servers that have not been maintained. As the number of security issues increases, the proportion of maintenance decreases. Therefore, the authors speculate that a large number of security issues indicate a lack of server maintenance.

The paper preprint:

https://arxiv.org/pdf/2108.07188v1.pdf