eLearnSecurity Blog

How to Prevent Brute Force Attacks in Mobile Applications

A research revealed that over 600 millions smartphone users have their mobiles at risk due to the mobile apps allowing UNLIMITED number of login attempts. AppBugs, a mobile security firm, tested 100 of the most popular Android and iOS applications that support password protected accounts – with each app registering at least one million downloads.

The result was that 53 of the 100 apps, showed a password brute force vulnerability, which allows attackers to keep guessing the user password until they are finally able to crack it.Appbugs mentions that it can take as early as 24 days for an attacker to guess the correct password combination, depending on the strength of the password. More about their report here.

mobile application security brute force attacks

Fixing Brute Force Vulnerability in Mobile Apps

 Francesco Stillavato, IT Security Researcher, shares his thoughts on this topic.

There are many techniques and security implementations a developer can use to defeat this type of attack. We all know that writing long passwords, digits and symbols on mobile phone keyboards is really boring, but it does not mean we have to make our attacker’s life too easy.


The simplest way for a developer to harden the security of a login mechanism is something that is already implemented in almost every mobile device OS. Create a Password authentication delay. Most of the time, the authentication of the account happens on a remote server, and this is where you can configure the settings

Think about the PIN code you use to unlock your mobile device (you use it, right? If you don’t, you should!). What happens if you type the wrong PIN a few times? Maybe you did not notice it, but if you keep typing the wrong PIN, you will have to wait a few minutes before you can type it again. The more you try (and fail), the more you will have to wait. With this simple implementation, you can really increase the amount of time needed to crack your password.

If the authentication mechanism is implemented remotely, avoid configuring it in the actual app. Hackers can bypass the app and connect directly to the server, so having the authentication done on the app is useless.


Besides this simple, but effective technique, if you really care about your clients, you should think to implement two-factor authentication. This is really the best way to defeat password bruteforce (and few other attacks).

Next Week on the Blog: Francesco discusses the 3 Common Mistakes that Mobile App Developers make when developing applications. Stay tuned!

Mobile Application Security and Penetration Testing Demo

MASPT product boxIf you’re a mobile developer and you want to develop secure mobile applications, you can learn to encode while keeping security in mind. Get started with the Mobile Application Security and Penetration Testing Course for FREE here: MASPT FREE Trial



francesco stillavatoFrancesco Stillavato is a Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance.

Twitter: https://twitter.com/litsnarf
LinkedIn: https://www.linkedin.com/in/stillavatofrancesco

Tags: , , , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page