Poor Authentication and Authorization
Poor Authentication and Authorization
Weak authentication mechanisms remain a persistent vulnerability in mobile applications. The convenience-focused nature of mobile experiences often leads to security compromises in authentication design.
Authentication Vulnerabilities:
- Weak password requirements
- Lack of account lockout mechanisms
- Session tokens that never expire
- Biometric authentication without fallback security
- Client-side authentication decisions
- Predictable password reset mechanisms
Authorization Issues:
- Role validation only on client side
- Direct object references without access control
- Horizontal privilege escalation vulnerabilities
- Missing authorization checks on API endpoints
- Cached authorization decisions
Secure Authentication Implementation:
// iOS - Biometric authentication with proper fallback
import LocalAuthentication
func authenticateUser(completion: @escaping (Bool) -> Void) {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics,
localizedReason: "Authenticate to access your account") { success, error in
if success {
completion(true)
} else {
// Fallback to password authentication
self.showPasswordAuthentication()
}
}
} else {
// Biometrics not available, use password
showPasswordAuthentication()
}
}