When building apps, security should always be a consideration since attackers will take advantage of any flaw to attack our systems.
In this article, we’ll look at some common security issues that we all have to consider when building our apps.
Code Injection
We should always consider this attack when building any systems and takes steps to prevent them.
A code injection attack is where attackers can run malicious code with our app by inputting their own code into our systems and run them through flaws within our app.
There’re many kinds of these attacks, including cross-site scripting, SQL injection and more.
Anywhere code can be run on the fly in our app, these attacks can happen. For instance, in JavaScript, there’s the eval
function to run any code from a string.
If we let users add anything and run them with eval
, then anyone can run anything in our app. This means that attackers can use to run anything to attack our systems.
Likewise, SQL injection attacks are ones that let attackers run SQL code to steal information or do other malicious things to them like corrupt them or delete them.
They work the same way. Our app lets users enter SQL commands and run them by passing them straight through to our back end app without any sanitization.
In either case, we can prevent this by doing some sanitization of our data to make sure that users can’t enter scripts and run time directly in our system.
Flaws With Authentication
Authentication can come with many flaws. When we create our own authentication system, we may be inadvertently exposing secret keys and passwords to other users.
To make our authentication systems more secure, we can add features like two-factor authentication to prevent brute-force password guessing attacks either directly or with something like rainbow tables.
Rainbow tables are pre-computed tables or reversing cryptographic hash functions by cracking password hashes.
Also, we can implement weak password checks when we let users set passwords so that we can prevent weak passwords from being entered into our systems.
Exposing Sensitive Data
We should be careful not to display sensitive data to users that aren’t supposed to see them.
Many systems have many kinds of users and we should make sure that only the right users see the right things.
This is something that we have to check with our tests, but we can automate them so that we don’t have to check all of them ourselves.
Displaying the wrong data to the wrong kinds of users can have bad consequences.
For instance, if someone sees that their compensation is lower than their colleagues, then the person that saw it will be mad.
Not only we have to worry about displaying data wrong users, but we also have to worry about other kinds of attacks that may expose information through social engineering like phishing attacks.
We have to be sure that we take measures against those by making sure that we alert our users to those issues.
Also, exposing data to clear text is also a problem. We should make sure we don’t have any secrets exposed as clear text.
Broken Authorization
Authorization is the privileges that users can have. We don’t want to mess this up by letting users do more than they supposed to.
This means that we have to check that users can do something and also can’t do something.
Fortunately, we can also automate that with end-to-end tests so that we don’t have to test each test case ourselves.
This way, we don’t have to think about every case. We just let the automated test do the testing for us.
We should restrict people by default so that we don’t give them too many privileges. Giving them too much power when they shouldn’t have it is a big risk that none of us want to bear.
Conclusion
Code injection is something that we want to prevent attackers from doing. We definitely don’t want to let users do whatever they want by secreting running their malicious code on our systems.
Also, we shouldn’t let users enter a weak password, and we may want to consider 2-factor authentication for extra security,
Finally, we should be careful with exposing data and giving extra privileges to users.