保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
highCWE-287M3:2024

Insecure Authentication/Authorization

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

How It Works

Mobile auth is tricky because the app runs on an untrusted device. Common mistakes include storing auth tokens in AsyncStorage without encryption, not refreshing expired tokens, performing authorization checks only in the mobile code (which can be bypassed), or using weak biometric implementation that falls back to a simple PIN. Attackers can modify the app binary to skip auth checks entirely.

Vulnerable Code
// Storing token insecurely
import AsyncStorage from '@react-native-async-storage';
await AsyncStorage.setItem('auth_token', token);
// No expiration check, no encryption
Secure Code
// Using encrypted storage
import EncryptedStorage from 'react-native-encrypted-storage';
await EncryptedStorage.setItem('auth_token', token);
// Token has expiration, refresh logic on 401

Real-World Example

In 2019, researchers found that multiple banking apps stored authentication tokens in plaintext in Android's SharedPreferences. Any app with root access or a local backup could extract these tokens and impersonate the user.

How to Prevent It

  • Use encrypted storage for tokens (Keychain on iOS, EncryptedSharedPreferences on Android)
  • Implement token refresh with short-lived access tokens
  • All authorization checks must happen on the backend
  • Implement certificate pinning to prevent MITM attacks

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024

Insecure Communication

high

Mobile app transmits sensitive data over HTTP instead of HTTPS, or accepts invalid SSL certificates — enabling man-in-the-middle attacks on public WiFi.

CWE-319M5:2024