Web and Mobile App Security Threats

Introduction

The proliferation and rapid advancement of web technologies coupled with a dynamic corporate environment mean that web and mobile applications are ascending to become more instrumental in public, business and government services today. Despite providing efficiency and convenience, mobile and web applications are equally on the brink of new security threats that can bring forth threats to an users’ information technology infrastructure if not handled with intense care. In the quest to handle threats associated with mobile applications, it is fundamental to properly master various vulnerabilities commonly found in web applications. This work reports on the contemporary threat-terrain for web applications based on evidence and experimentation. While reporting on the possible mobile application security threats, this work the study also provides a critical review of two major threats and their significance for web applications; and illustrate how the threats attacks by a simulation before proving recommendations for protection mechanisms against these threats.

Reflective Summary on Contemporary Threats for Web Applications

Contemporary web applications are faced with numerous threats including software attacks, identity theft, and theft of intellectual property, information extortion, and sabotage amongst others. Threats comprise of anything which can take advantage of vulnerability to security breach and disorient, extort, erase or harm information of particular interest. On the other hand, software attacks comprises of worms, viruses, Trojan horses amongst other. Software attacks are malicious software and react differently (Delac, Silica and Krolo, 2011). Malware is a construct of two terms namely malicious and software. Malware refers to malicious software with capacity to perform harmful operations on software systems. There are two types of malware namely; malware actions and infection methods.

Contemporary application paradigm encompasses mobile, web, and cloud platforms. The unprecedented evolution of technology has motivated software companies to continually update their technology stack (Mittalet al., 2016). By function, web applications are information collectors and distributors; and are the most fundamental sources of information for consumers. Complexity of application is continuously increasing to integrate more features that suit dynamic consumers’ needs, thus making it more susceptible to attacks. Attackers have become more intelligent with abilities to propagate attacks without the awareness on network, application behavior and tools. Endowed with knowledge on software engineering, development and internet, attackers create tools and customize the attacks on the basis of the application. Consequently, attackers get to exploit security rules, vulnerabilities and policies to attain their intended motive. Banham (2017) recognized the unending nature of security. While the latest threat gets curbed and discredited, new threats arise. Continuous implementation of security at different levels is deemed necessary in achieving defense against threats. According to Mirzoev et al., (2014), attackers have developed competencies in manipulating various applications inputs to acquire vital information, bypassing network defense systems. In the year 2010, SQL injection attacks were common relative to DDoS and malware distribution. Besides, Open Web Application Security Project (OWASP) and Top Ten security threats are common attackers in contemporary days. Chen et al., (2016) noted that web attacks erupted is mainly propagated to non-technical individuals by use of social engineering attacks. Increased popularity and usefulness of smart mobile gadgets have formed the basis under which risks transpire. Smart gadgets act as communication portal and authentication means. Ready access to smart mobile technologies by unscrupulous attackers increases chances of accessing personal data that is used to impersonate before reputable companies by sending emails in the quest to trick users to give personal and financial information. The excess access to online sensors such as surveillance systems and video camera has enabled attackers to seek for new measures of compromising privacy, security, monitoring organizations and victims to espionage and other threats. Risks are not subject to application only but can also impact infrastructure and network. In contemporary days, there has been ransomware arracks encrypting users’ data and systems and asking for Ransom to regain data (Reetz, 2013). Dig deeper into Digital Transformation and Cybersecurity Challenges with our selection of articles.

The Need for Information Security

Information system integrates the consideration of existing controls or countermeasures motivated through unchecked vulnerabilities. Besides, information security encompasses identifying areas where a lot of work is requiring concerning safeguarding the principles of information security. These principles include; confidentiality, authentication, integrity and non-repudiation. The main aim of data security management is to ensure business continuity by minimizing or preventing the impacts of security incidents (Rashidi and Fung, 2015). There are various reasons why information security is fundamental. First, information security safeguards the functionality of the company. The decision maker in the corporate enterprise ought to formulate policies and manage their enterprise in accordance with dynamic legislation, efficient and capable applications. Besides, information security is important in protecting the organization’s data which the company gathers and use. Also, information security is important in protecting technological assets of an organization (Stuttard and Pinto, 2011).

Efforts to Combat Mobile Application Threats

The government has increased financial allocation to curb cyber security. Cybercrimes are costly and interferes with the confidentiality, integrity and availability of information. Information loss may permanently paralyze corporate operations; or may require a lot of finance for recovery. The government’s tendency to allocate more funds in handling cybercrimes is constructed on the awareness of hacking on the safety of data; and the vitality of protecting the integrity of information and in ensuring information availability all times when needed (Lamba et al., 2017). This orientation is not only propagated by the government but also any individual or corporate organizations. In addition, the government has introduced courses on cyber security to elevate the level of awareness of cybercrimes amongst men and women. The awareness will also go forth in equipping learners with skills on how to handle cybercrimes. The dynamic nature of cybercrimes and mobile application threats require constant training to unravel. It is a cat and mouse race! it is hard to dismantle cybercrimes but constant understanding of such crimes tend to lower risks occurrence (Mittal et al., 2016).

SQL Injection Threat: Basic Description

SQL injection denotes a technique applied to exploit user information through web page input by inducing SQL instructions as statements. These statements are then harnessed to manipulate the application’s web server by attackers (Reetz, 2013). SQL injection is thus a code injection technique with potentials of destroying users’ databases. This constitutes one of the common web hacking techniques involving the induction of malicious code in SQL statements through the web page input. Ghorbanzadeh et al., (2010) noted web servers communicate with database servers timelessly whenever required to store or retrieve user data. SQL statements by the hacker are structured for execution when the web-server fetches content from the application server. This art compromises induces possible threats into the web application. SQL injection constitutes various effects. The main impact is that it enables the hacker gain access to user-information for instance credit card information, user details, and security codes. In addition, SQL injection may enable hackers gain access to administrators’ portals which are otherwise highly private and confidential. Moreover, SQL injection may enable intentional deletion of users’ data. This may be to the detrimental of corporate operations; or users’ important information. In the contemporary days, the evolution of mobile applications, online shopping applications, back-end database servers and bank transactions are imposed to potential risks. If the hacker is capable of exploiting SQL injection, the whole server is compromised.

Blind SQL Injection

Blind SQL Injection is a form of SQL Injection whereby if the attacker was to inject SQL code which conceived an application to create an illegitimate SQL query, then he/she ought to acquire syntax error message from the database (Roman, Lopez and Mambo, 2018). An error code from the database ought not to be shared with the application end user, since this may disclose information concerning the database design. To hamper the exploitation of SQL injection, some software developers use generic page from the database. As a result, the exploitation of SQL becomes difficult. The hacker gets to know if the query is valid or not based on the returned page. On the event the web application is vulnerable and the query is valid, a particular page will be returned. But if the query is invalid, a unique page will be returned. Thus, the hacker will still access information from the application database through interrogating true or false questions through injected SQL statements.

Ways of Preventing SQL Injection

User authentication; this approach encompasses verifying user input on the thresholds of predetermined length, input field, type of input and user authentication. Avoiding the use of system administrator accounts Limiting user access to data and limiting the quantity which an outside may have access. In this regard, the users should be denied access to data in the database.

Experimentation to Simulate the SQL Injection Threat

SQL injection constitutes a code injection technique applied to hack mobile web applications. Under SQL technique, the malicious SQL statements are introduced to an entry field of execution. SQL nay be harnessed in various mannerisms to pose severe threats. By leveling SQL injection, the hacker may overlook authentication, access, delete or alter information found in the database. For instance, consider the following simple authentication in figure 1. From the perspective of a hacker, the intention is to get SQL statement executed by the database.

The hacker can guess about the type of SQL statement which the above application may utilize to authenticate access codes or credentials. It may probably be a SELECT statement. Besides, the hacker may make a prudent guess concerning naming convention applicable to the database table since it potentially matches the names that are used in the HTML form. This is based on the view that in such form of validation, there is possibly WHERE clause which uses

$_POST ['username'] and $_POST ['password'].

Considering all this, the hacker may predict the following;

?php $ sql = "SELECT count(*) FROM users WHERE

username = '{$_POST ['username']}'AND

Password = '...'";?>

If the above guess happens to be valid, something can be done to manipulate the query. For instance, imagine sending the username below;

akash' /*

SELECT count (*) FROM users WHERE username = 'akash' /*'AND password = '...'";

In this example, /* is used to conceive a multi-line comment, efficiently destroying the query at that point. This has been tested successfully with MySQL. A standard comment in SQL begins with --, and it is needless trying both. The query proposes a successful validation exercise provided the akash account is on existence irrespective of the password. Such an attack is regularly employed to steal accounts. Any username may be harnessed. Therefore, sending a malformed username enables the hacker to log in without necessarily having a legitimate account.

Recommended protection mechanisms for SQL Injection

There are different ways of defending SQL injection attacks. One of the techniques used is the use of parameterized queries or prepared statements. This technique requires the application developers to define all SQL code and enact each parameter to the query later. This technique enables databases to distinguish between data and code, irrespective of what user input is provided. Parameterized queries ensure the hacker is unable to change the purpose of a query even when SQL commands are introduced by the hacker. For instance, suppose the hacker enters the user ID of PQR, the prepared statement will not be endangered but instead will look for username that matches with the whole string PQR. Beside the use of parameterized queries, two other strategies are applied to combat SQL Injection namely input validation and stored procedures. Use of stored procedures will restrict SQL Injection provided they do not incorporate harmful dynamic SQL generation. Also, the SQL code ought to be initially defined and parameters passed. The distinction between stored procedures and parameterized queries is thin in that SQL code for a stored procedure is determined and stored within the database and then called from the application. With the help of call SQL statement, the application can call and execute stored procedure. Input validation method seeks to escape provided input before integrating it to a query. Particular functions applied in evading user supplied input vary on the premise of server-side scripting language. It is commendable to harness database specific escape functions such as mysqli real escape string for MySQL (Narayanan et al., 2018). Every database management system reinforces at least one character. Input validation method may be given preference in rewriting dynamic queries. This is because using parameterized queries or stored procedures may constitute a negative impact on the application’s performance. It is vital to master how to establish and resolve SQL injection threats since the significant number of data breaches are constructed on poorly coded web apps. Any given code that builds SQL statements ought to be properly checked for SQL injection threats. Besides, it is important to note that eve data which has been parameterized is prone to manipulation by skilled hackers. As a result, web applications ought to be integrated with the ideals of information security in mind and continually tested for SQL injection and other threats.

Implementation Accompanied by Appropriate illustration

The initial stage involves the creation of an SQL statement template to be sent into the database. Particular values known as parameters are abandoned unspecified and labeled (?). For instance;

SELECT count (*) FROM users WHERE username =? AND password =?

Secondly, the database parses, disseminates and carries out query optimization on the SQL statement template and safeguards the results without executing it. Thirdly, the execution comes in at a later stage; where the application binds the parameters to values and the database allowed executing the statement. The application may execute the statement severally with different values. The following is a simple demonstration of bypassing user login page. The SQL injection offers the hacker unofficial access to important information such as personal identifiable number (PIN), customer information, intellectual property, trade secrets and other sorts of information. Besides, there is equally an SQL Injection Automation tool sqlmap applied to carry out all forms of SQL Injection.

Consequently, the application of secure coding enables the protection of the system against SQL Injection attacks.

Conclusion

The rapid evolution of technology has necessitated a need to continually safeguarding web application against hackers. Organizations should remain vigilant to protect the integrity, confidentiality and easy availability of information when required; in the quest to minimize distortions, or loss of information by unintended persons. To serve their interests, the hackers will relentlessly struggle to gain access to data and thus the software developers, government agencies and all stakeholders ought to be keen to ensure their information do not land in the wrong hand, which might also be costly to recover. It is important therefore for software developers to be conversant with vulnerabilities data is exposed to; and pursue stringent measures while building software. Laying strong strategies to safeguard the security of web applications against attacks such as malware and SQL injection requires participatory approach to ensure web applications continue to serve intended purposes without interference from hackers.

References

Banham, R., 2017. Cybersecurity threats proliferating for midsize and smaller businesses. Journal of Accountancy, 224(1), p.75.

Chen, M., Qian, Y., Mao, S., Tang, W. and Yang, X., 2016. Software-defined mobile networks security. Mobile Networks and Applications, 21(5), pp.729-743.

Delac, G., Silic, M. and Krolo, J., 2011, May. Emerging security threats for mobile platforms. In 2011 Proceedings of the 34th International Convention MIPRO (pp. 1468-1473). IEEE.

Ghorbanzadeh, P., Shaddeli, A., Malekzadeh, R. and Jahanbakhsh, Z., 2010, June. A survey of mobile database security threats and solutions for it. In The 3rd International Conference on Information Sciences and Interaction Sciences (pp. 676-682). IEEE.

Lamba, A., Singh, S., Balvinder, S., Dutta, N. and Rela, S., 2017. Analyzing And Fixing Cyber Security Threats For Supply Chain Management. International Journal For Technological Research In Engineering, 4(5).

Mirzoev, T., Brannon, M., Lasker, S. and Miller, M., 2014. Mobile application threats and security. World of Computer Science and Information Technology Journal, 4(5), pp.57-61.

Mittal, S., Das, P.K., Mulwad, V., Joshi, A. and Finin, T., 2016, August. Cybertwitter: Using twitter to generate alerts for cybersecurity threats and vulnerabilities. In 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM) (pp. 860-867). IEEE.

Narayanan, S.N., Ganesan, A., Joshi, K., Oates, T., Joshi, A. and Finin, T., 2018, October. Early detection of cybersecurity threats using collaborative cognition. In 2018 IEEE 4th international conference on collaboration and internet computing (CIC) (pp. 354-363). IEEE.

Rashidi, B. and Fung, C.J., 2015. A Survey of Android Security Threats and Defenses. JoWUA, 6(3), pp.3-35.

Roman, R., Lopez, J. and Mambo, M., 2018. Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges. Future Generation Computer Systems, 78, pp.680-698.

Stuttard, D. and Pinto, M., 2011. The web application hacker's handbook: Finding and exploiting security flaws. John Wiley & Sons.