How to Prevent Brute Force Attacks in Mobile Applications
A research revealed that over 600 millions smartphone users have their mobiles at risk due to the mobile apps allowing UNLIMITED number of login attempts. AppBugs, a mobile security firm, tested 100 of the most popular Android and iOS applications that support password protected accounts – with each app registering at least one million downloads.
Fixing Brute Force Vulnerability in Mobile Apps
There are many techniques and security implementations a developer can use to defeat this type of attack. We all know that writing long passwords, digits and symbols on mobile phone keyboards is really boring, but it does not mean we have to make our attacker’s life too easy.
PASSWORD AUTHENTICATION DELAY
The simplest way for a developer to harden the security of a login mechanism is something that is already implemented in almost every mobile device OS. Create a Password authentication delay. Most of the time, the authentication of the account happens on a remote server, and this is where you can configure the settings
Think about the PIN code you use to unlock your mobile device (you use it, right? If you don’t, you should!). What happens if you type the wrong PIN a few times? Maybe you did not notice it, but if you keep typing the wrong PIN, you will have to wait a few minutes before you can type it again. The more you try (and fail), the more you will have to wait. With this simple implementation, you can really increase the amount of time needed to crack your password.
If the authentication mechanism is implemented remotely, avoid configuring it in the actual app. Hackers can bypass the app and connect directly to the server, so having the authentication done on the app is useless.
TWO FACTOR AUTHENTICATION
Besides this simple, but effective technique, if you really care about your clients, you should think to implement two-factor authentication. This is really the best way to defeat password bruteforce (and few other attacks).
Next Week on the Blog: Francesco discusses the 3 Common Mistakes that Mobile App Developers make when developing applications. Stay tuned!
Mobile Application Security and Penetration Testing Demo
If you’re a mobile developer and you want to develop secure mobile applications, you can learn to encode while keeping security in mind. Get started with the Mobile Application Security and Penetration Testing Course for FREE here: MASPT FREE Trial
Francesco Stillavato is a Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance.