Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s (bleepingcomputer.com)

Posted by msmash on Monday June 4, 2018 @05:10AM from the closer-look dept.

Catalin Cimpanu, writing for BleepingComputer: Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. But while mobile devs have learned to filter user input for dangerous strings, some of these devs have not learned their lesson very well.

In a research paper published earlier this year, Abner Mendoza and Guofei Gu, two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section. This regretable situation leaves the users of these mobile applications vulnerable to simple HTTP request parameter injection attacks that could have been easily mitigated if an application's business logic would have been embedded inside its server-side component, where most of these operations belong.

5 of 96 comments (clear)

Min score:

Reason:

Sort:

Client Side AS WELL AS Server Side by Jason+Levine · 2018-06-04 05:18 · Score: 4, Insightful

There's nothing wrong with Client Side validation. It lets you prompt the user to correct their mistakes. Of course, this client side validation shouldn't be trusted when the data gets to the server-side. You need to check it on the server side also. Client Side verification has it's place in any good web application.

--
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
1. Re:Client Side AS WELL AS Server Side by ctilsie242 · 2018-06-04 05:30 · Score: 4, Insightful
  
  You need both. Client side is for sanity checking, just so the obvious security issues don't make it to the server and take up server resources (bandwidth, etc.). For sense of security, everything needs to be checked at the server side, as -nothing- should be trusted. Sorry, Bobby Tables.
2. Re:Client Side AS WELL AS Server Side by gweihir · 2018-06-04 06:07 · Score: 3, Insightful
  
  Client-side: Usability.
  Server-side: Security.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Mistakes Web Devs Made in the Early 2000s... by asylumx · 2018-06-04 05:47 · Score: 3, Insightful

Newsflash, webdevs still make these same mistakes. Often times there is little or no distinction between a "web dev" and a "mobile dev" in reality.
Re:Very legitimate reason for this by gweihir · 2018-06-04 06:14 · Score: 4, Insightful

Indeed. Those that think reducing the need for server hardware this way is acceptable should be banned for life from coding anything. It does not get much more stupid than this when security is a factor.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.