May 28, 2025 – Lina Romero – Your Mobile Apps May Not Be as Secure as You Think…
Excerpt:
Cybersecurity risks are too close for comfort. Recent data from the Global Mobile Threat Report reveals that our mobile phone applications are most likely exposing our data due to insecure practices such as API key hardcoding.
Summary:
In 2025, most of us are reliant on our mobile devices for everything from communication to transportation and commerce. But the applications that are powering these functions are leaving users open to risk…
Blog Text:
It is no secret that many of us would be helpless without our mobile devices. Similarly, our mobile devices would be helpless without APIs. APIs are what allow mobile applications to communicate with one another, and send and receive requests between platforms, such as between your phone and the mobile application’s cloud platform. If these APIs aren’t secure, the information you are putting into your mobile applications- which can include location data, banking details, and other PII- isn’t secure, either. A recent report from Zimperium revealed that mobile applications often fail to follow best practices around authentication and authorization, which leads to critical vulnerabilities for the user. A secure application should use placeholder tokens instead of direct access through a login. Best practices around authentication such as session-based authentication and header-based authentication can also help ensure only authenticated users are gaining access. Session-based authentication uses sessions to track authenticated user activity and stores information about the usage, creating a unique identifier to store information about the user. This information is kept in a cookie that can be sent to each server where a request is made, and these servers can in turn check if the session ID matches the authenticated user. Header-based authentication uses HTTP headers to authenticate the user on a separate server externally, sometimes a web gateway or proxy server. However, some developers use hard-coded API keys as a shortcut, meaning the token is the same for each user of the app. This is a bad practice when it comes to cybersecurity, because it means that if one user is compromised, they effectively all are. Even AI systems will not let you hardcode API keys, as they have been programmed against it for security reasons. As we see in the tables below (source: Zimperium), both Android
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: