Session handling is a very well known security concern for Web applications, but it can be an even bigger problem in the world of mobile applications. Improper session handling leads to vulnerabilities that are quite common, despite the potential that a lost or stolen device could have severe consequences.
What is Improper Session Handling?
As the name suggests, this issue is because session tokens are not handled in the best way. While some of it might be intentional, enough care should be taken to add some kind of validation for the user.
Because of the way mobile applications are used, many developers allow long or non-expiring user sessions or use session tokens that are too predictable. Many times this is intentional because businesses want users to have fast access to purchasing and checkout so that sales can be made before the user can have second thoughts. Reducing the need for constantly logging into the application reduces friction for the users.
In order to facilitate a stateful transaction between a user and a mobile app's backend servers, mobile apps use session tokens to maintain state over stateless protocols like HTTP or SOAP. To maintain state, the mobile app must first authenticate the user through the backend. In response to successful authentication, the server issues a session cookie to the mobile app.
The mobile app adds this cookie to all future service transactions between the mobile app and the server. This allows the server to conveniently enforce authentication and authorization for any service requests issued by the mobile app. Improper session handling occurs when the session token is unintentionally shared with the adversary during a subsequent transaction between the mobile app and the backend servers.
What is the impact of Improper Session Handling?
Technical Impact: An adversary that has access to the session tokens is able to impersonate the user by submitting the token to the backend server for any sensitive transactions. Hence, the technical impact is dependent upon who is being impersonated and what service is being requested.
In the worst-case scenario,the adversary is impersonating an administrative user and issuing a request for administrative functionality that is dangerous in nature.
In the average-case scenario, users lose control of their accounts and who is performing authorized functionality on their behalf.
Business Impact: Improper session handling results in an adversary that can impersonate another user and perform business functionality on their behalf. This may result in:
- Information Theft; or
- Business Interruption.
Are you vulnerable to OWASP Improper Session Handling?
Improper Session Handling typically results in the same outcomes as poor authentication. Once you are authenticated and given a session, that session allows one access to the mobile application. Mobile app code must protect user sessions just as carefully as its authentication mechanism.
Here are some examples of improper usage:
1. Failure to Invalidate Sessions on the Backend
Many developers invalidate sessions on the mobile app and not on the server side, leaving a major window of opportunity for attackers who are using HTTP manipulation tools. Ensure that all session invalidation events are executed on the server side and not just on the mobile app.
2. Insecure Token Creation
In addition to properly invalidating tokens (on the server side) during key application events, it's also crucial that the tokens themselves are generated properly. Just as with encryption algorithms, developers should use well-established and industry-standard methods of created tokens. They should be sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.
3. Lack of Adequate Timeout Protection
Any mobile app you create must have adequate timeout protection on the backend components. This helps prevent malicious potential for an unauthorized user to gain access to an existing session and assume the role of that user.
Good timeout periods vary widely according to the sensitivity of the app, one's own risk profile, etc., but some good guidelines are:
- 15 minutes for high security applications
- 30 minutes for medium security applications
- 1 hour for low security applications
How to prevent an Improper Session Handling attack?
To handle sessions properly, ensure that mobile app code creates, maintains, and destroys session tokens properly over the life-cycle of a user's mobile app session. Some of the advices mentioned above will definitely help a lot.
Improper Session Handling is an issue that has actually moved down on the rating for OWASP. It used to be among the top five threats around 2012. Obviously, this means most people have started taking care of this. But even now many developers make simple mistakes or do things intentionally.