![Page 1: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/1.jpg)
Top 10 Security Risks for Mobile Backend Developers
22.8.2016 Jiří Danihelka
![Page 2: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/2.jpg)
2
1. SQL Injection
Recommendations: Always use a database library
that is immune to SQL injections (e.g. Entity Framework).
Do not create SQL command by string concatenations. Do not rely just on character encoding.
![Page 3: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/3.jpg)
3
2. Cross Site Scripting and JavaScript Injection
Recommendations: Always HTML-encode user strings
before putting them to the web page. ASP.Net does this automatically unless you use @Html.Raw(...); function or a similar one.
Treat page parameters (e.g. GET parameters, cookies, ...) as a user input.
Do not allow '<' and '>' in user inputs. (Administrators that create content may be an exception.)
Users should not write HTML markup - use a different markup for them e.g. BB Code. (Administrators that create content may be an exception.)
![Page 4: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/4.jpg)
4
3. Broken Authentication and Session Management
Recommendations: Do not put session
authentication token into URL, put it into cookies.
Users with disabled cookies should not have access to sites that need authentication.
Passwords or session tokens are stored in insecure places like: URL parameters Application logs
Sharing URL on social networks
Log: Error function ‘LoginUser’ failed – the arguments were Login=‘John’, Password=‘helllo’
![Page 5: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/5.jpg)
5
4. Insecure Direct Object References
Recommendations: Always check the permission
user when executing requests. Just hiding the unavailable options is not secure enough.
Optionally use ids of your objects that are hard to guess and iterate - e.g. GUID values.
![Page 6: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/6.jpg)
6
5. Cross Site Request Forgery
Recommendations: Either use ASP.Net
anti-forgery tokens for forms ...
... or check the request origin against a whitelist of legitimate domains.
![Page 7: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/7.jpg)
7
6. Security Misconfiguration
Recommendations: This topic is very broad and it
is hard to give a general recommendation.
Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout).
Change default passwords Do not store production
credentials in the repository Use different credentials in
Dev and Live envoroments
![Page 8: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/8.jpg)
8
7. Insecure Cryptographic Storage
Recommendations: Store passwords in an
encrypted form (not in plaintext).
Use one-way encryption of passwords using hashing.
Use policies for password length and complexity to mitigate brute-force attacks.
Use hashing with a random seed to avoid rainbow table attacks.
Storage of: Passwords Credit card numbers Bank account details Any sensitive data
Additional level of protection when the database leaks
![Page 9: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/9.jpg)
9
8. Failure to Restrict URL Access
Recommendations: Always check user permission
when accessing a restricted page.
Do not just hide links to the pages, the user can manually type the path.
![Page 10: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/10.jpg)
10
9. Insufficient Transport Layer Protection
Recommendations: Always use HTTPS for login
pages. Do not combine secure and
insecure content on a single page (e.g. using Iframes).
![Page 11: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/11.jpg)
11
10. Unvalidated Redirects and Forwards
Recommendations: When you embed a 3rd party
object to your page (e.g. YouTube video) based on a URL parameter check it first against a whitelist.
Also use a similar whitelist when your page redirects or forwards to a 3rd party page based on a URL parameter.
![Page 12: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/12.jpg)
Security Checklist
![Page 13: Top 10 security risks for mobile backend developers](https://reader035.vdocument.in/reader035/viewer/2022070509/58a472c61a28aba34c8b573f/html5/thumbnails/13.jpg)
13
Security Recommendations Checklist